WordPress.org

Ready to get started?Download WordPress

Forums

Duo Two-Factor Authentication
[resolved] Better implementation/compatibility with wp_login_url() (7 posts)

  1. Taylor4484
    Member
    Posted 9 months ago #

    I'm running a multisite on WP Engine, and they modify the wp-login url to do some custom security work.

    I've been chatting with their technical support and they have a suggestion for making this plugin more general for better compatibility.

    I have tested their suggestions on a few installs both WPEngine and non, both multisite and single site, and it does not affect the functionality of the plugin, only extends compatibility.

    On line 76 of duo_wordpress.php, trac link:
    http://plugins.trac.wordpress.org/browser/duo-wordpress/trunk/duo_wordpress.php#L76

    change this line:
    'post_action': '<?php echo wp_login_url() ?>',
    to this:
    'post_action': '<?php echo site_url( 'wp-login.php', 'login_post' ) ?>',

    Here's the Codex link for site_url:
    http://codex.wordpress.org/Function_Reference/site_url

    For example WPEngine changes the login_post scheme to append some parameters their security system needs to the url like so:
    http://www.mywordpresssite.com/wp-login?WPE-login=mywpengineaccountname
    These parameters were not being called when using wp_login_url()

    http://wordpress.org/plugins/duo-wordpress/

  2. octalmage
    Member
    Posted 9 months ago #

    This is a common method used to help fight against bot brute force attempts and will help this plugin be more compatible with other security plugins.

  3. Taylor4484
    Member
    Posted 9 months ago #

    I appreciate this making it into the new release, however the latest release breaks duo two again for multisite on WPEngine.
    On line 76 in Duotwo.php you have:
    'post_action': '<?php echo esc_url(network_site_url('wp-login.php', 'login_post')) ?>',

    This works for me:
    'post_action': '<?php echo esc_url(site_url('wp-login.php', 'login_post')) ?>',

    http://codex.wordpress.org/Function_Reference/site_url
    I see that the codex suggests network_site_url, but using network_site_url causes a "no data loaded error", the same issue as earlier in this ticket but changing it back to site_url allows it to work as intended.

    Not sure if this could be related to the changes 3.7 made to Multisite, but maybe?

    Anyway this is what worked for me. Maybe @octaimage (support guy at WPEngine) can weigh in here!

  4. Duo Security
    Member
    Plugin Author

    Posted 8 months ago #

    Thanks for all the great feedback around this issue. The latest version of our plugin (1.7), released 10/30/2013 contains a fix for this specific issue.

  5. Spacedmonkey
    Member
    Posted 5 months ago #

    @Taylor4484 @octalmage

    I had a similar issue in my multisite, using 3.8 and setup in sub domain config. The above site_url fix worked for me. Not sure why duo are using network_site_url as site_url works fine.

    I have detailed my issue better on github and sent them a pull request. Hopefully Duo can merge the change...

  6. Taylor4484
    Member
    Posted 5 months ago #

    @spacedmoney, I'm having the same problem, I just go in and change the plugin to use site_url any time there is an update.

    Are you using WPEngine?

  7. Spacedmonkey
    Member
    Posted 5 months ago #

    I am not using WPEngine, I am using the multisite in sub domain config.

    I have submitted the fix to them, up to @duosecurity to work on it now.

Reply

You must log in to post.

About this Plugin

About this Topic