WordPress.org

Ready to get started?Download WordPress

Forums

password time limit (13 posts)

  1. Ptryk
    Member
    Posted 8 years ago #

    wondering.. (after perusing hte support site.. couldn't find an answer to this..)

    in pluggable-functions.php
    there are some values for setting password time limit

    setcookie('wordpressuser_'. $cookiehash, $username, time() + 31536000, $cookiepath);

    1> .. is the 31536000 .. in miliseconds or seconds!?
    2> .. does anyone know if it is as easy to limit the time the cookie is valid by changing this? ..
    3> .. is there some standard way (= w/o hacking the php) to lock someone out after the standard 3 attempts?

    thanks for any advice/help/personal experience!

  2. pizdin_dim
    Member
    Posted 8 years ago #

    1. the number is in seconds and should equate to 1 year.
    2. yes, changing this to say 2592000 should equate to 30 days instead.
    3. no, i don't believe there is. you will have to hack login.php to keep a track of number of failures.

  3. Ptryk
    Member
    Posted 8 years ago #

    thanks!!!

  4. Ptryk
    Member
    Posted 8 years ago #

    1/2> yes, seconds .. yes it was that easy to change.

    3> as the admin function seems to reside in login.php .. for posts/pages it seems it is actually located in : template-functions-post.php

    let me run this by some of yall.. to build in some type of a 1.. 2.. 3 (more or less) strikes and you are out policy.. i assume the best way would be to create an array that would keep count of the number of tries made from an ip address for each post/page.. per time period. there weould then be a test at query time that would test to see if it was clear for access or not .. any thoughts / vulnerabilities?

  5. pizdin_dim
    Member
    Posted 8 years ago #

    Although I haven't done this in WP, I have done similar stuff elsewhere, like this:

    Use a PHP session variable to keep a track of number of logins. When that exceeds the maximum you will allow, "deactivate" the user. In WP, I think this might be done by changing the user_level column in users table to 0 (zero).

  6. When that exceeds the maximum you will allow, "deactivate" the user. In WP, I think this might be done by changing the user_level column in users table to 0 (zero).

    What if someone tries to log into your account 3 times? Then your account will be set to 0 and you'll loose access to your own blog. That doesn't sound like a good plan to me...

    I'd just blacklist the IP from the login form for X hours + set a cookie that also blocks them.

  7. pizdin_dim
    Member
    Posted 8 years ago #

    What if someone tries to log into your account 3 times? Then your account will be set to 0 and you'll loose access to your own blog. That doesn't sound like a good plan to me...

    Yes, that's certainly true and it will be a problem if you don't have direct access to the MySQL database, either with SSH or something like phpmyadmin.

    However, if you have direct database access, it's actually an excellent security mechanism for exactly the same reasons you outline and that's why I always do it that way.

  8. Whatever floats your boat, but I wouldn't find it fun to have to go into my database every 5 minutes and have to re-admin my account if someone tries to login with my username. :)

    BTW: what's your blog URL if you have this on your blog? ;)

  9. Ptryk
    Member
    Posted 8 years ago #

    great comments guys! ..

    i guesss I was leaning toward creating a database within wordpress..
    (found this as well : http://www.as400pro.com/servlet/sql.tipView?key=1072&category=HTML )


    wordpress (database)
    wp-postprotected (table)
    post_counter (how many tries .. set in admin options panel.. would be same for all posts/pages )
    post_counter_time_in_effect (when would counter reset automatically .. set in admin options panel .. would be same for all posts/pages)
    post_time_penalty (how long an ip would be blocked .. set in admin options panel .. would be same for all posts/pages)
    wp-protected_post_id (table)
    ip_address (table)
    counter
    time_of_last_try_failed

    so each protected post (posts &/or pages) would have a set of ip_addresses that each has a counter and time that they last tried and failed

    sure someone could move to a new ip, etc.. but that seems to be able to be solved through a kind of throttle/choke on the system..e.g. if tries and fails > 10 in 10 min per post then lock down the page for some amount of time.

  10. pizdin_dim
    Member
    Posted 8 years ago #

    Ptryk: I think I may have misunderstood your request: I thought you were talking about the login password but it seems you meant the page password. If that's the case, forget what I said as it doesn't really apply. What you're proposing seems like a good model.

    Viper007Bond: No, no blog. I'm talking about custom (typically ecommerce) websites that I build for the client here.

  11. Ptryk
    Member
    Posted 8 years ago #

    pizdin .. couldn't the concept work just as well for the admin login? (assuming if the mechanisms were to lock you out you could go into the phpmyadmin? or gain access through ftp / server side?)

  12. pizdin_dim
    Member
    Posted 8 years ago #

    Yes, it could but the "wp-protected_post_id" table would not be applicable. Perhaps another user-based one would be more appropriate. Or you could just do the session/user_level thing.

  13. Ptryk
    Member
    Posted 8 years ago #

    been looking into how to make this happen.. had a new/different thought: i am thinking that there really is no reason to apply the protection to a specific post/page/login.. why not have it simply track ip's and if an ip makes say 3 login errors somewhere on the site within say 10 hours then that ip will get blocked from being able to try passwords?

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags