WordPress.org

Ready to get started?Download WordPress

Forums

Stealth Login Page
Is Redirection Actually Working In v4.0 ? (10 posts)

  1. kirstie99
    Member
    Posted 11 months ago #

    I've just upgraded to v4, having used the earlier version without any problems at all.

    However, even with redirection enabled, if the wrong username or pw is entered into the login box I get this error message "ERROR: Invalid username. Lost your password?" and no redirection takes place.

    Can anyone else confirm whether redirection is actually working in v4.0?

    Thanks,

    Kirstie

    http://wordpress.org/plugins/stealth-login-page/

  2. Jesse Petersen
    Member
    Plugin Author

    Posted 11 months ago #

    The redirection has nothing to do with those fields, which is my bad - this redirection is solely associated with not filling in the correct auth code.

    If you are using the old method, the redirection had nothing to do with a successful or not login - solely on the correct or incorrect login URL.

    This is primarily targeted at bots and I'm taking steps to make a comprehensive security plugin one feature at a time - then it will all come together based on what's working and not.

    Does that clear it up?

  3. kirstie99
    Member
    Posted 11 months ago #

    From my testing:

    1. If someone/bot enters a VALID username and an incorrect password, they are redirected.

    2. If someone/bot enters a VALID username, a correct password and an incorrect Authorization code, they are redirected.

    3. If someone/bot enters a username that DOESN'T exist and an incorrect password they get the "ERROR: Invalid username. Lost your password?" error message and are NOT redirected.

    This seems a little illogical to me. After all, most bots start off by trying to brute force "admin" as a username. As no one with any sense uses admin as a username anyway, this means that the bot will get the error message and continue trying to attack the login page as per the third case above.

    So the login hasn't really been "Stealthed" like in previous versions. Instead, it's pretty much like we now need 2 passwords to login instead of one.

    Surely it makes more sense to "bounce" a bot off our site to somewhere else (thus reducing the load on our site) if the bot uses a username that doesn't exist or an incorrect password?

    Thanks,

    Kirstie.

  4. Jonathan
    Member
    Posted 11 months ago #

    I am also seeing this issue. When I enter a legitimate username with a bad password and bad auth code I don't get redirected. I actually just get an incorrect username and password message. Is this how it's supposed to work?

    Thanks a lot.

  5. Jesse Petersen
    Member
    Plugin Author

    Posted 11 months ago #

    The redirect is based on the auth field. I'll have to re-work things, it'd appear.

    Please revert to 3.0.0 if this is too bothersome and I do agree that stealth is gone, but it was changed for reasons in the threads that I've stickied in the forums.

    I'll add an option to use either method OR you can simply clear out the auth field in the settings and your old settings should still be in the database unless you deactivated and deleted 3.0.0 before updating.

    I'm slowly adding different methods so people can choose and this method was strictly because of WP 3.6 heartbeat API.

  6. Jonathan
    Member
    Posted 11 months ago #

    Thanks Jesse. As far as I can see you can't actually clear out the auth field because when you try to save you get a js validation error. Am I missing something there?

    I went ahead and downgraded our sites to 3.0.

    Thanks for the quick response.

    Jonathan

  7. Jesse Petersen
    Member
    Plugin Author

    Posted 11 months ago #

    Darn, no. I did put that in place so people couldn't save with blank fields. I forgot about that. You can go into SQL and clear that out of the settings, but stick with 3.0.0 until WP 3.6 comes out and I'll see how fast I can have 4.1.0 out.

  8. Jonathan
    Member
    Posted 11 months ago #

    Thanks Jesse. You did an awesome job with the plugin. I think people are just frustrated because the simplicity of v3 of the plugin worked so well and required minimal effort on their part. I'm looking forward to seeing the next iteration.

    Jonathan

  9. kirstie99
    Member
    Posted 11 months ago #

    I couldn't agree more with Jonathan.

    Jesse, v3 was groundbreaking and an absolutely brilliant plugin - both in terms of concept and ease of use.

    Plus I loved the idea of redirecting bots and attackers instantly off my site to somewhere else.

    As you advise, I'll stick with v3 for the moment.

    Thanks again ;-)

  10. Jesse Petersen
    Member
    Plugin Author

    Posted 11 months ago #

    Noted. It is coming back. ASAP.

    I clearly made an error in judgement in preparing for WP 3.6 (dropped yesterday, so go update after making a backup and see what happens when you sit idle in a post too long.

    I will ensure I have several feature checkboxes, so I'm working out the UI in my head before I begin because I have so many full-site projects in my queue.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.