Hi, I'm getting confused about the two types of protection options available in cPHulk: username-based and IP address-based.
I've read the doc page for this but it's a bit unclear to me as it self-references a bit.
In the section about username-based protection, it says:
"Username-based Protection — Whether to enable the username-based protection settings. Set the toggle to On to enable the Username-based Protection setting. Username-based protection tracks login attempts for user accounts."
Does this mean that this option tracks login attempts based solely on the user name entered (or email address for webmail)? That is, if anyone on the internet tries to log into this account and fails "x" times, it will lock down that account from allowing *anyone* to log into it, including the valid owner? If this is the case, would that not allow hackers to effectively lock out the valid owner of the account by continuously attempting failed logins for that user ID?
For this reason, I'm thinking I only want to enable the IP address-based protection, but I don't want to disable a valuable protection if I'm not understanding it properly. My particular case is a webmail account that a user is getting locked out of, but is able to log into some of the time. Other times, they get the "The login is invalid" error message even though they repeatedly enter the correct username and password. I've checked the server logs and it shows blocking due to multiple failed attempts, so I'm wondering if this protection option is counting someone else's earlier failed attempts and locking the valid owner out of their own account.
Thanks in advance for any clarification you can provide...
I've read the doc page for this but it's a bit unclear to me as it self-references a bit.
In the section about username-based protection, it says:"Username-based Protection — Whether to enable the username-based protection settings. Set the toggle to On to enable the Username-based Protection setting. Username-based protection tracks login attempts for user accounts."
Does this mean that this option tracks login attempts based solely on the user name entered (or email address for webmail)? That is, if anyone on the internet tries to log into this account and fails "x" times, it will lock down that account from allowing *anyone* to log into it, including the valid owner? If this is the case, would that not allow hackers to effectively lock out the valid owner of the account by continuously attempting failed logins for that user ID?
For this reason, I'm thinking I only want to enable the IP address-based protection, but I don't want to disable a valuable protection if I'm not understanding it properly. My particular case is a webmail account that a user is getting locked out of, but is able to log into some of the time. Other times, they get the "The login is invalid" error message even though they repeatedly enter the correct username and password. I've checked the server logs and it shows blocking due to multiple failed attempts, so I'm wondering if this protection option is counting someone else's earlier failed attempts and locking the valid owner out of their own account.
Thanks in advance for any clarification you can provide...
