A user locked herself out by mistyping her password a few times. Wordfence is set to lock IPs for 24 hours. I log in and "unlock" her IP. She goes back to the login page and is rejected again. In short, "unlock" is broken.
I see that in your wfLog.php, you have:
public function unlockOutIP($IP){
$this->getDB()->queryWrite("delete from " . $this->lockOutTable . " where IP=%s", wfUtils::inet_aton($IP));
}
I don't think that's enough. You're holding on to the IP in the transient wflginfl_<IP>, which seems to have an impact.
Also, I see (but don't understand) that every time you check whether an IP is locked out, you also bump up the count. It's like, if she even comes near the login page before 24 hours has expired, it resets the clock. In:
public function isIPLockedOut($IP){
if($this->getDB()->querySingle("select IP from " . $this->lockOutTable . " where IP=%s and blockedTime + %s > unix_timestamp()", wfUtils::inet_aton($IP), wfConfig::get('loginSec_lockoutMins') * 60)){
$this->getDB()->queryWrite("update " . $this->lockOutTable . " set blockedHits = blockedHits + 1, lastAttempt = unix_timestamp() where IP=%s", wfUtils::inet_aton($IP));
return true;
} else {
return false;
}
}
To actually perform the unlocking that you link advertises, I had to got delete the transients from the wp_options table. I'm not even sure we're out of the woods yet.