After having a couple of times customers complaining that they locked out with the max simultaneous logins - I dug a bit deeper because I thought 4 logins per 24 hours should be plenty (s2member default is 3, or recommended).
I checked in wordfence and noted that unsuccesful attempts count too!
Now I’m not sure how wordfrence determined the login to be unsuccesful in that case- but basically that means wrong password.
So if you set it to 4, and a user 4 times tries a wrong password, then uses the correct password he cannot login I assume.
Or could there be another reason? And yeah it’s complicated with cookies. Some users try to login with noscript or similar that block the login cookie.
There is also this older thread: Max Simultaneous Logins
Something here is broken - it will not affect many users but some are affected due to circumstances I don’t exactly know.
And yeah - it’s not the IP restriction which I disabled (needs to be disabled if you have IP6 active, if you deactivated IP6 and only use IP4 can leave it enabled).
Miss a bit of time to further try what exactly is happening - but clearly failed some login attempts according to wordfence count too!
Brute Force Login protection is disabled (Wordfence is the better option for me here).
Is the only solution to fully disable it and monitor manually if there could be a leaked user/password combination that many people may use to login? The problem is while wordfence stores login attempts in the firewall / live traffic. It only shows failed logins as invalid user or valid user. There is no other reason for failed login though I guess it can only be wrong password if user exsits. Wordfence itself sadly has no max simultaneous logins - would prefer that seeing that s2member is not correctly working on this point.