Difficult to log in recently

Post Reply New Topic

I am getting a lot of Error messages when I try to log in. Yesterday it was saying 'Try again in 59 hours'. Today it's 'you have 4 attempts left to log in.'

I'm used the same password and username I've always had!

This has happened several times to me, also.

It stops me from logging in, sometimes for hours at a time.

And the number of hours it mentions before trying again, seems random and has ranged from 25 hours to 65 hours.

Sometimes it'll say try again in say, 59 hours, and then if I try within another 10 minutes I can log in fine.

I always try to remain logged in. Occasionally the system logs me out for no apparent reason, but getting back in is usually straightforward.

Well I changed my password as it advised and still couldn't get in today til now. I suppose I'll just have to see what happens each day

Yes. I am back after a 58 hour wait.

Welcome back!

Thanks.

There's a session timeout, set to 7200 seconds (2 hours), which likely gets reset with your activity on WP - browsing, posting etc.
This is rather like online banking logging you out after a period of inactivity.

Once upon a time Firefox had a "Refresh page every X seconds" option but that seems to have gone away, so I use this add-on instead:
https://addons.mozilla.org/firefox/addo ... o-refresh/

To keep a track of my subscribed thread updates I use it to auto-refresh my "Subscriptions" page (My Account | Overview | Manage subscriptions) - which also keeps the session permanently active.
For me, this is much more useful and better focussed than endlessly checking for new posts.

Maybe the hit-and-miss emailed thread update alert issue has been fixed, so using the auto-refresh is either a coincidence or it's a fix in itself, because since starting it a few months ago I now regularly receive emailed thread update alerts.


I have no idea where the extreme enforced login delays are coming from.
One technique is to allow (say) 3 failed logons, then each subsequent failed logon doubles a delay before you can try logging on again - so if you fail 1 more time that's 1 minute, again is 2 minutes, again is 4 minutes and so on.

But WP doesn't implement this - or at least, it's not visible at the administrator level.
There are failed logon timeouts but they're quite modest and nowhere near the tens of hours reported here.
It's conceivable something "stronger" is implemented at the CloudFlare level, which I can't see, but even so the tens of hours delay is unnecessarily extreme.

It's possible that refreshing the browser logon window will clear or reset these delays and allow a logon, but if that doesn't work immediately there's no point in repeating it.

It's been pointed out that these failed logins and delays could be the result of bots attempting to brute-force guess a password, where many password combinations are automatically tried over a short period of time in an attempt at guessing it.

That would generate many failed login attempts and apparently, through some non-visible mechanism, the extended delays before being allowed to try again.

I don't think there's any immediate worry - this is something any site could be subjected to, but reviewing your password and increasing its length/complexity would decrease the chances of it being guessed.

Unfortunately these are bad actors external to WP and their activity is not something I'm able to control.

How do you know it is bots and not a human or humans doing the password guessing?

It seems like a lot of effort for a person to employ bots to guess the passwords of an obscure internet forum.

I don't know - it's just that having an actual person sitting there spending hours entering password guesses isn't how it's normally done. Bots are free, fast, can work 24/7 without tiring, and they can be fed different word/phrase combinations to try with little to no effort.

While WP itself is a little obscure, if it can be cracked covertly and set up as a bot farm it becomes quite valuable to spammers.

Ah, sorry, what I meant with the question was to ask how do we know it isn't a human controlling the bots, but I realise now that is what you meant anyhow with your initial post.

I just had an idea of a mindless army of bots descending upon the website. I am not sure how these things work as you can determine.

It could be one or many - I can't see the activity, unfortunately.

One benefit (from a security viewpoint, at least) is that if failed logins are causing increasing delays before being allowed to try again, that would affect the bots too and thus slow their activity.

Ddos always troubles small websites

I couldn't even log in, tried resetting my password, that didn't work but then for whatever reason I don't know, my old password works again.