ip restrictions doesn't work on subsites

Hello,

First of all, thanks for your plugin and thanks in advance for your help.

We have activated the Login Restrictions on the main website and on one of our subdomains. While it works fine and protects us from Brute Force attacks on the main site (Thanks for that feature!), it doesn’t stop Brute Force attackers on the sub-site at all. You can try as many times as you want. It is strange and unnerving.

Could you provide me with help? Is it a bug that requires fixing?

Best regards,

s2Member’s multisite feature is that you can specify how many child blogs the user can create based on his s2Member Level. As with other plugins, s2Member can be available to the child blog admins, but each blog has its own scope. s2Member restrictions don’t work across the network, only in the scope of the blog its working from. So IP restrictions on Blog A won’t work on Blog B, only Blog A.

Dear Cristián,

I am aware of how it’s supposed to work, thank you. I have done that exactly as you mention. But even though the restrictions are set on the subsite, they are ineffectual and we’re having attackers hammering us. I would love to understand and fix this as soon as possible.

Thanks for helping,

So you have a child blog with s2Member active and the URI restriction set, but it doesn’t seem to be protecting the URI the way you expected it?

Did you set a Membership Options Page? Restrictions won’t become active before you set that page. [hilite path]Dashboard -› s2Member® -› General Options -› Membership Options Page[/hilite]

If that’s not the problem, could you submit your site’s info? Please include what page you’re trying to restrict access too, so I can compare its URL to the string you entered in the URI restriction. s2Member® » Private Contact Form

Please leave me a reply here letting me know when you sent the email. Thanks!

Dear Cristián,

It appears I am being unclear, I would like to apologize for that. I’d like to restrict bots from attempting to login multiple times. For this, I try to use s2members’ “Brute Force IP / Login Restriction” section in the “Restriction Options”.

The subsite doesn’t need to have a sign up page, just a login page. The login page is hammered by bots a lot. We would love to use your plugin’s functionality to refuse login after 3 failed attempts. All is configured correctly as far as I can tell, however, the function doesn’t stop offending IP addresses to attempt login. Therein lies our difficulty.

Thanks for your patient and well-meaning help,

Evren from the GHF Team

Thanks for explaining it.

So you configured the Brute Force restriction in your main site and the login attempts are in a child blog of the network? Is that it?

The restrictions will only work in the scope of the blog they are in. If you have s2Member active with the restriction in Blog A, it won’t apply the restriction to Blog B.

Thank you for your understanding :)

Each subsite has its own preferences regarding these restrictions, I understand that very well. The plugin is network activated and the main site (Blog A, let’s call it, works great). We set the preferences for each individual sites with great care.

New members registering on Blog A are automatically added to some of the subsites (via the Multisite User management plugin).

On one of these subsites (Blog B), we needed a login page. So, we have configured the membership option page as well as the login welcome page through your fine s2Members plugin. On Blog B and Blog A separately, the “Brute Force IP/Login Restrictions” sections are set to “Allow 3 failed login attempts (then punish for 30 minutes)”. Unfortunately, in Blog B, these settings aren’t taken into account and bots hammer Blog B’s login page.

I hope I am making myself clear. Do not hesitate to ask further questions if it isn’t the case.

Kind regards,

Evren from the GHF Team

Ah, I see, you’ve customized your network with another plugin to add the user to multiple blogs in it.

Maybe it’s not adding them properly as if they were a user of each blog and that’s why the restriction in Blog B is not being applied to them? Have you tried creating a user in Blog B to see if the restriction is applied to him correctly then?

It appears that the Login Restrictions work now. Yet, I have trouble understanding why the unsuccessful attempts show up in the Activity Monitor plugin for Blog B but not Blog A.

It would be great to know because it is a bit of a nuisance… yet not all mysteries are worth solving, I guess. If you don’t have any useful insight in this, you may mark the thread as resolved.

Thank you very much for your help.
Have a nice week-end.

No, I don’t really know what to say, other than my opinion that WordPress multisite can still use improvement. In the meantime, the only way to go seems to be relying on plugins for multisite, and a lot of customization to help them work together.

I’m very glad you got it working. Have a great weekend too! :)