On our site I turned on the registered users and selected by email.
Concrete CMS locked out all users and banned our IP.
This is obviously a bug that simply should not be allowed to happen at all.
Please respond with haste as I have a client whose entire web access is now blocked.
An IP gets automatically banned when someone enters wrong usernames/passwords multiple time in a short time delay.
After a while (20 minutes IIRC) the IP is automatically unblocked btw.
That should not happen at all.
All admins are banned.
After the period of waiting we cannot access the site using existing admin details.
âInvalid email address or password is provided as errorâ
Do I have to rebuild the entire site and install a new CMS because of this or is there a terminal work around?
IPs are banned regardless the username: you specify a wrong password multiple times? The system blocks your IP for a while.
And that must occur ESPECIALLY for administrators (otherwise your website would be a possible target of brute force attacks which are aimed in particular to administrators).
You can of course add specific IPs (or IP ranges) to an allow list (they wonât never be blocked).
You can also disable the whole IP blocking feature (at your own risk).
This can be done via the dashboard, as well as using the ./concrete/bin/concrete5 c5:config set -g CLI command (or editing the config php files directly).
The problem is that Iâm not in front of a PC atm, and I donât remember the exact configuration keys.
Hi, so when we went to allow âregistered usersâ the CMS blocked admins who were using usernames instead of email addresses.
I am not sure you reply is the correct information.
It looks like I will have to reinstall the entire CMS and rebuild the website if we cannot get access.
Surely their is a fail safe that a admin can go to the /var/www folder and change a file.
Looks like there is no server admin work around other than to rebuild the entire site.
Disappointing.
Who has told you thatâs the only option?
Itâs simply not true.
I get the impression here that youâve changed the login process/screen to expect an email address instead of username, and therefore it doesnât work when someone puts in a username.
The error message youâve said suggests youâre in email mode.
If this is the problem, you can change it directly in config by going to file:
/application/config/generated_overrides/concrete.php
and finding the value for email_registration, in the user/registration section. You can just change that from true to false and save it down.
Going forward, you have to either pick login by username or login by email, you canât have both operating. It sounds like you just have to make sure that the admins that are set up know what email address associated with their accounts to enter instead.
Thereâs no process in Concrete that is going to ban all admins. This just sounds like youâve changed a setting without realising, then have made the wrong assumption as to what is going wrong.
Might be good to edit the subject of this email thread, as itâs not going to help you get the answers.
