Max failed logins. Please wait about 30 minutes and try again

Hi, We’ve received the above error and I cannot even log in as admin. So, I can’t do the reset from within S2 Member. I have Cpanel access. On the old forum I see someone had the same problem and he was told how to reset, but his response is as follows:

“Yeah, that would be an obvious solution if you could actually login in to do it. My admin account was locked (as stated above) thus no WP Admin. It was locked for at least 3 hours. I finally hacked your plugin to omit the check long enough to get in and reset the log. I will be creating a tool to do this in the future. It was painful being unable to administer my site all day.”

So, do you know how one hacks the plugin to reset the login count?

Thanks, David Cundy

There is never any need to “hack” a WordPress plugin to deactivate it. You just need to rename the plugin’s folder. (Just add -off to the name so that you know which one you have renamed.) Then login, then change the name back and (if necessary) reactivate the pluginfrom the plugins list.

Okay, I can go to my host and change the name to -off as you suggest. But once I do that what do I need to change so it doesn’t happen again?

You will need to change settings of s2M at “Settings -> s2Member -> Restriction Options -> Brute Force IP/Login Restrictions” just after the login.

This is also happening to me.
What do I do once at “Brute Force IP/Login Restrictions”?
Can I somehow add my IP or login so that I’m not logged out?
Or do I need to establish myself as a “customer” (note I haven’t completed the setup yet).
I’m not a coder so I need to simple answer please
Thank you!

You guys should keep in mind that something triggered that restriction. It’s protecting your site from what seems an attack.

I recently had a customer ask me about this via email and, after some exchange, we found that someone had been trying to hack his account, and that’s why the account had been locked for a bit.

If you’re getting that restriction triggered, I suggest that you find out why and take the necessary measures, instead of just removing the protection preventing a possible attacker from breaking in.

Having said all that, you can edit the restriction so it’s less strict. Just raise the number of attempts allowed before considering it an attack. WP Admin > s2Member > Restriction Options > Brute Force

You could also have a second admin account, for those times when your main one is locked, so you can go in there and reset the restriction.

But the restriction only lasts for 30 mins anyway, so it’s not that bad having to wait for it to go back to normal when it gets triggered.

I hope that helps.

To really solve this never use the username “Admin” or any defaults that are going to get hammered by bots trying to hack your site.

Keep that in mind if you’re creating a new site because WP doesn’t let you change your username later (but you can search for methods to do it anyway if you’re brave).

Then install the Edit Author Slug plugin so that your username isn’t given away in your post urls.

If you’re even braver disable the s2Member brute force and use the one provided by the Wordfence plugin instead.

It will show you your most commonly-used usernames being attacked. You’ll see “admin” and your author slug as the top ones.

But since that isn’t your real username you won’t be locked out.

Thanks @bopters and @clavaque.
I use an email as my login and a very strong password. I’ve added the Author slug plugin (great idea).
Well aware of all the hacking. I simply wondered if there was a “backdoor” for the site owner when issue like this happen.