Ok, so we were getting a lot of login attempts from all over after having been exploited on a content type that was left open (that issue was resolved) but our website just kept getting hammered by login attempts slowing things down. Thought this module would do the trick from everything I've read. Well within an hour of it's use it had blocked two admin accounts and the IP address at our office!

If it hasn't been thought of, you should be able to set specific role/accounts more specifically admin accounts to not be blocked by login_security (at most it should notify the admin, etc.) If it wasn't for my android on 4G we would have been screwed! Deleting the module via ftp doesn't do anything cause the IP was already in drupal blocked system. Weird thing is everyone here at the office uses automated login with there admin accounts as in the browser has there info stored so it's not an issue and no one ever received a failed login attempt. I'm sure I could reproduce the issue if needed but that will have to wait till after the holidays.. Too busy for that at the moment.. We really like the idea behind this module as it is highly recommended - but with out some sort of safeguards for us/admins we can't use it at the moment!

If anyone thinks I missed something in configuration (tho read thru the documentation thoroughly including all read-me files) so I can't imagine I did..

Comments

Michael_Lessard_micles.biz’s picture

Michael_Lessard_micles.biz CreditAttribution: Michael_Lessard_micles.biz commented

+1 that is a good point.

An IP whitelist or allowed host could work.

Was proposed 2 years ago...

( I can't do it )