I've had several ip_lockout_deny_impossible status notifications in my event log. Some of the bots attempting to access end up on time outlock despite attempting to using locally blocked and non-existent login id's. They keep trying to access anyway, every minute for hours for each wp_login and wp_xmlrpc, and then I get the ip_lockout_deny_impossible status. What does this mean? Thanks.
The only way to stop hackers from making attempts completely is by placing an extra layer between your site and them. This can be done by spinning up and configuring a proxy server. Since this is not possible from within a WordPress plugin, the hackers can make the attempts without any limitation; HOWEVER, their attempts will always fail, thanks to the Limit Login Attempts Reloaded plugin. Although we can't stop the attempts, we make it so all of them are unsuccessful, keeping your site secure.
The ip_lockout_deny_impossible status might occur from time to time when attempts are frequent and you lock/unlock users manually at the same time. We will investigate this. Regardless of the reason behind this status, the corresponding attempt will always be denied.
Thanks, and good to know it will always be denied. To help in your investigation, I have not been manually blocking at the same time. These particular bot attacks resulting ip_lockout_deny_impossible status usually happen 1am - 6am US, when I'm asleep. I'll see if I can spin up a proxy server via Cloudflare, which they shouldn't be getting through anyway. Please keep me updated as to what you find.