WordPress.org

Ready to get started?Download WordPress

Forums

Login Security Solution
[resolved] NOT RECOMMENDED (21 posts)

  1. P3air
    Member
    Posted 1 year ago #

    doesn't repel brute force attacks

    period

    http://wordpress.org/extend/plugins/login-security-solution/

  2. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi:

    Would you be so kind as to explain the scenario under which it doesn't work, please?

    Thanks,

    --Dan

  3. P3air
    Member
    Posted 1 year ago #

    sorry - no
    it would give any attacker an architectural background of our site.

    Despite all settings attacker were still able to bounce off 80+ tries before we had to interfere manually. We think these attacks are cookie/jquery related since timing is very consistent and precise.

  4. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi:

    I was not asking for specific details about your site.

    I'm looking for an outline of why you think LSS didn't work. Your saying the attackers were able to "bounce off 80+ tries before we had to interfere manually" is a start.

    How many minutes did it take them to make those hits?

    Thanks,

    --Dan

  5. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi P3air:

    It seems you misunderstand what this plugin does. An explanation of the matter has been added to the FAQ, entitled "I just got hit with 500 failed logins! Why isn't this plugin working?!?" Check it out.

    Just because something doesn't work the way you want it to doesn't mean it doesn't work. And it's certainly a lousy reason for doling out trash talk and one star ratings.

    Thanks,

    --Dan

  6. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    The FAQ has been updated with a section entitled "Will you provide lock outs / blocks in addition to slow downs?" It explains how this plugin works and how it actually blocks attackers.

  7. mdSeuss
    Member
    Posted 1 year ago #

    Gotta love folks like P3air who shoot first, don't really understand, and don't even ask questions later. Nice drive by P3air!

  8. P3air
    Member
    Posted 1 year ago #

    it's a nice little plugin and who's using it and is happy with it, so be it. BUT: your plugin does NOT protect against BRUTE force attacks - just because you create a Q&A doesn't make it suitable -

    mdSuess we hate to rain on to your parade, but you need to put your Kool-Aid aside and grow up. You have zero understanding what the real problem with this plugin is.

    So, to give you guys a quick heads-up: Most of brute force attacks are jQuery driven: every 2 sec. a bounce against login/database. These attacks do not trigger the wp-login.php - they come direct ... Unless the hacker is an idiot and types in the password 3256 times into wp-login.php and hits enter - your plugin will not recognize the attack.

    That may give you a clue where your fundamental flaw in your plugin is.

    As we said in the beginning; It's a cool little plugin and who's using it and feels protected with it, great - if you run a serious site, don't use it. It gives you a false sense of protection.

    Our $0.02 - PEACE

  9. mdSeuss
    Member
    Posted 1 year ago #

    You must be new to open source etiquette P3air. You drop your load in a topic and don't provide any concrete details?

    Please.

  10. webvitaly
    Member
    Posted 1 year ago #

    @P3air: Limit Login Attempts plugin protects good from brute-force. It limits login tries for specific number and this number is not enough to brute the password.

    "+1" for "to rain on to your parade" quote :)

  11. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    P3air:

    Most of brute force attacks are jQuery driven: every 2 sec. a bounce against login/database.

    Thank you for finally explaining your scenario. Can you please provide a sample payload and the path (URI without domain) of such a request?

    Thanks.

  12. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi P3air:

    The reason I asked for a proof of concept is because I'm pretty sure this plugin already handles the scenario you're mentioning. The Login Security Solution checks all WordPress' authentication hooks, not just activity in wp-login.php.

    It'd be great if you were actually interested in improving security by participating in the open source community.

    You may say I'm a dreamer
    But I'm not the only one
    I hope someday you'll join us...

  13. blizcreak
    Member
    Posted 1 year ago #

    @P3air: I find your comments here really odd.

    You downloaded a free plugin as you hoped it would do something for you.

    You decided (rightly or wrongly) that it doesn't do what you wanted it to do.

    You then come here and say "it doesn't work" without explaining in any way how you came to that conclusion.

    The author then offers to fix the plugin so that it does work for you, but you just ignore that.

    So, did you want a solution that works? Or do you just want to complain about something that you got for free?

    Very odd.

    Everyone here is concerned about web security. There is no such thing as complete security, other than turning your website off. The goal of open source (such as this plugin) is that we work together to make the security as good as possible. We invite you to be part of that solution. Please provide the author with some details that he can actually use to identify what you believe to be the problem so that he can then fix it.

    Noel

  14. Christian Foellmann
    Member
    Posted 1 year ago #

    @P3air: How about contributing an improvement to the plugin code to protect against the scenario your were in?
    That is how open-source works. You improve the code for your needs and thereby help others in a similar situation.

    If you just think some plugin works in a certain way it not automagically does.

  15. P3air
    Member
    Posted 1 year ago #

    Our contributions to open-source are that we risk to test plugins in a LIFE environment and give limited feedback.

    By outing us in using certain plugins AND contributing even in the smallest amount of feedback we have a significant increase in hacking attacks towards our main site, i.e yesterday alone we had 60.000+ hits with brute force. In other words: Vicious wp coder are monitoring very closely forums and posts like this to skim off any useful and valuable information. We do not intend to make their 'trophy list'.

    Plugins which we SUCCESSFULLY use over a certain period of time will receive good reviews and donations.

    To all who are not satisfied with the details our feedback we are sorry, but that's all what you get.

    We've found a free plugin which fits our needs. It is successful implemented since several months. To respect the effort of the author of this particular plugin we won't mention it here.

    Good luck guys

  16. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi P3air: Please email me directly at danielc@analysisandsolutions.com with any specifics you don't want the general public to see. That's how all open source projects handle sensitive data regarding security problems. Thanks.

  17. mdSeuss
    Member
    Posted 1 year ago #

    OMFG P3air, get over yourself already. Reading your post we'd think that your wordpress site is a key national security infrastructure. It is in fact "just another wordpress site" among the millions.

    Your general rudeness is only exceeded by your humorous paranoia that the brute force attacks are especially targeting your web site.

    Brute force attacks are up everywhere and if you saw 60,000 hits come through to your webserver, then you are NOT doing everything you should to prevent and deny these. And in your spirit of not sharing details, I'm not going to tell you what you are missing, just that YOU ARE NOT DOING ENOUGH if you saw 60,000 hits. That's OBVIOUS.

  18. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    So Apple, Twitter and the New York Times recently explained to the public that they've had security problems and what happened. But P3ear is too important to provide accurate information.

  19. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    I assume P3air is talking about login attempts from XML-RPC requests. Version 0.37.0, released a moment ago, now monitors those. This hole was recently brought to my attention by another user. It could have been fixed months ago if P3air was more forthcoming. Oh, well.

  20. jasonpel
    Member
    Posted 1 year ago #

    @Dan - Thanks for fixing this issue and for being a real standup guy throughout this whole thread!

  21. alanudi
    Member
    Posted 1 year ago #

    P3 Air DOESN'T WORK. BOOM. :P

    Their flight school sucks, and I'm not going to tell you why.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.