WordPress.org

Ready to get started?Download WordPress

Forums

Login LockDown
Appears to be broken (29 posts)

  1. aljuk
    Member
    Posted 2 years ago #

    I've been using it happily for several years, and it's always performed well.

    However, yesterday I was hit by a brute force attack on my login page, and Login Lockdown didn't pick up on it.

    http://wordpress.org/extend/plugins/login-lockdown/

  2. waldhorn
    Member
    Posted 2 years ago #

    Same here.

    I tested the Login Lockdown on WordPress 3.2.1 and it simply doesn't work. One can enter bad credentials numerous times without the Login Lockdown admin panel listing a blocked IP address.

    Be sure to test before relying on this plugin!

  3. mvandemar
    Member
    Plugin Author

    Posted 2 years ago #

    I just tested and it absolutely locked me out after the 3rd incorrect password attempt. Remember, the default is to ignore incorrect usernames, since those have no chance of ever logging in anyway.

    @waldhorn - by "bad credentials", did you use valid usernames but incorrect passwords?

  4. rwilki
    Member
    Posted 2 years ago #

    not working for me anymore either. this is so disappointing...

  5. MaydayPictures
    Member
    Posted 2 years ago #

    I had a problem with this plugin as well. I installed yesterday. This morning, when I tried to access my login page, it was completely gone and replaced with this:

    WordPress database error Table 'so-and-such_blog.wp_lockdowns' doesn't exist for query SELECT user_id FROM wp_lockdowns WHERE release_date > now() AND lockdown_IP LIKE '64.183.205%' made by wp_signon, wp_authenticate, isLockedDown

    So basically it just locked me down without having made any attempts to login.

    Anyone know why this could be?

  6. mvandemar
    Member
    Plugin Author

    Posted 2 years ago #

    @MaydayPictures - that's not locking you out, that is an error saying that the database doesn't exist. Something happened to delete the tables in the database that Login LockDOwn uses. You should delete and reinstall, see if that helps. If not you can email me the url and I will look at it for you.

  7. mvandemar
    Member
    Plugin Author

    Posted 2 years ago #

    And by that I mean delete and reinstall the plugin, not WordPress.

  8. MaydayPictures
    Member
    Posted 2 years ago #

    Thanks! I did delete it through FTP earlier, and I was able to access my log in page again. I haven't tried to reinstall as I've been pretty busy this morning. I'll probably try later today or tomorrow. If it doesn't work, I will definitely take you up on your offer to take a look.

    Thank you for your help!

  9. biurotax
    Member
    Posted 2 years ago #

    Doesn't work for me. Does it have something to do with unwrittable htaccess? I changed permission to htaccess.

  10. mvandemar
    Member
    Plugin Author

    Posted 2 years ago #

    @biurotax - no, Login LockDown doesn't use .htaccess at all. When you say that it "doesn't work", what are the symptoms?

  11. biurotax
    Member
    Posted 2 years ago #

    I'm able to make unlimited login attempts and it doesn't lock me. I use proper username and wrong passwords.

  12. mvandemar
    Member
    Plugin Author

    Posted 2 years ago #

    @biurotax if you would like to drop me an email I would be happy to take a look for you. If you follow the credit link for the website in the plugin my contact info is there.

  13. cypherhackz
    Member
    Posted 1 year ago #

    @mvandemar, how can I contact you via email? There is something that I want to ask about this plugin. Thank you.

  14. mvandemar
    Member
    Plugin Author

    Posted 1 year ago #

    It's michael at my domain of endlesspoetry which is a dot com. :)

  15. JADickerson
    Member
    Posted 1 year ago #

    I installed this a few days ago,
    and it doesn't seem to be doing anything
    How can we tell? Is there a log file?

  16. mvandemar
    Member
    Plugin Author

    Posted 1 year ago #

    @JADickerson - Try to log in 4 times in a row using a real username but the wrong password. What happens?

  17. JADickerson
    Member
    Posted 1 year ago #

    It locked me out.
    Now I can't login as myself either.

  18. Aahan Krish
    Member
    Posted 1 year ago #

    Hi Michael (mvandemar),

    You are the developer of Login Lockdown I presume? First I saw that it wasn't updated in years, and then I saw one of the expert developers I know using it on his own blog.

    Even though that's pretty much enough of a concrete evidence, I would still like to go ahead and ask — is it still strong and secure today as it was before? I mean, security programs always seem to require constant updates, and your does not? Just asking!

    Cheers!

  19. SteveW928
    Member
    Posted 1 year ago #

    @mvandemar
    I'm not sure what the protocol for releasing an update is, but I'd also add that it would be a good idea to get rid of the 'not updated in 2 years' banner, as that will make people pass by it (I almost did). Also, some of the security plugins and services are now using plugin-age as a metric to flag problems.

    But, my question I wanted to ask...
    Will this also apply to XMLRPC for remote publishing? I'd really like to turn that feature on, but don't want this to be a weak point for hackers.
    Thanks!

  20. mvandemar
    Member
    Plugin Author

    Posted 1 year ago #

    @Aahan Krish - Sorry for the delay, I am unsure why I did not get notification of new replies to this thread. Yes, it does work fine.

    @SteveW928 - you are correct, I really do need to update this. As to the XMLRPC, I have never used it. However, from what I just researched it appears as if it does use wp_authenticate(), which is what my plugin overrides, so my guess is that it works with that as well. If you use XMLRPC yourself then you could test this by entering in the wrong password into your client intentionally, and then attempting to make 3 bad posts. Then go and see if you can manually log in to the normal wp-login.php page.

  21. wallyO
    Member
    Posted 1 year ago #

    Hello mvandemar,
    Thanks for your very useful plugin, I have been using it on all my sites for years. However recently I have noticed some problems.
    On a fresh local install of wordpress when login lockdown is activated.

    1. loginlockdownAdminOptions - a:5:{s:17:"max_login_retries";...
      is created in the options table.
    2. loginlockdown_db1_version is created ion the optios table
    3. The table wp_lockdowns is not created
    4. The table wp_login_fails is not created

    Subsequent failed logins with or without real user names fail to create the two tables in my tests.

  22. mvandemar
    Member
    Plugin Author

    Posted 1 year ago #

    @wallyO - does the database user you are using for this local install have create table permissions on the database? Feel free to email me if you need help debugging this.

  23. wallyO
    Member
    Posted 1 year ago #

    phpmyadmin export for this user is,

    GRANT USAGE ON *.* TO 'wordpresDBldax'@'localhost' IDENTIFIED BY PASSWORD '- - - - -';
    
    GRANT ALL PRIVILEGES ON 'wordpresdbldax'.* TO 'wordpresDBldax'@'localhost';
  24. wallyO
    Member
    Posted 1 year ago #

    Hello mvandemar,
    I have just tested this on one of my live sites by uninstalling login lockdown, deleting wp_lockdowns and wp_login_fails then reinstalling login lockdown.
    The tables were recreated on activation and are registering failed login attempts as expected.
    My problem must be specific to my testing server.
    Apologies for wasting your time.

  25. mvandemar
    Member
    Plugin Author

    Posted 1 year ago #

    @wallyO - I am still be interested in knowing what the issue was if you do figure it out. Thanks.

  26. Elnz
    Member
    Posted 1 year ago #

    Hello mvandemar,

    Tnx for the plugin. I have same problem of WallyO. I installed plugin but there aren't tables wp_loginfails or wp_lockdowns on my db. Atm i'm working on localhost. My wp's version is 3.0.4.

    Can you help me plz?

  27. Elnz
    Member
    Posted 1 year ago #

    Edit:

    i created by mysql code both tables. Now the plugin is working :) and i'm lock for the next hour :)

    ps: Same problem on 3.4.2 wp version.

  28. wallyO
    Member
    Posted 1 year ago #

    I have done some troubleshooting and have found that if called directly the loginLockdown_install function does create the two database tables on my wamplite server.
    The problem lies in the lines 311-315.
    On my LAMP Production server this works as designed, $activatestr outputs
    activate_login-lockdown/loginlockdown.php
    On my WAMPlite Development server this does not work, $activatestr outputs
    C:\Users\user\Documents\MySites\wordpress-site\login-lockdown.dev\wp-content\plugins\login-lockdown\loginlockdown.php
    This happens because __FILE__ outputs
    C:\Users\user\Documents\MySites\wordpress-site\login-lockdown.dev\wp-content\plugins\login-lockdown\loginlockdown.php
    and
    WP_PLUGIN_DIR . "/"
    outputs
    C:\Users\user\Documents\MySites\wordpress-site\login-lockdown.dev/wp-content/plugins/
    I got this to work on the DEVELOPMENT server and the PRODUCTION server by replacing

    if(!defined('WP_PLUGIN_DIR')){
    define('WP_PLUGIN_DIR', ABSPATH . 'wp-content/plugins');
    }
    $activatestr = str_replace(WP_PLUGIN_DIR . "/", "activate_", __FILE__);
    add_action($activatestr, 'loginLockdown_install');

    with
    register_activation_hook( __FILE__, 'loginLockdown_install' );
    PS. Apparently register_activation_hook is only called on activation not on update. It is documented here.

  29. Elnz
    Member
    Posted 1 year ago #

    Tnx Wally, i tested it with

    register_activation_hook( __FILE__, 'loginLockdown_install' );

    and it worked.

    :)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic