WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Suddenly Conflicts with TWo-Step Authentication (21 posts)

  1. Synthia
    Member
    Posted 1 year ago #

    I've been using Bulletproof and Duo Security simultaneously (along with Wordfence) for months.

    However, recently I updated some plugins and now Bulletproof will not allow me to use Duo Security to log in. I log into WordPress, but on the second authentication step I am kicked out and told that my login credentials are invalid.

    I've disabled numerous plugins and isolated Bulletproof as the culprit. With it deactivated, I can log in and use Duo SEcurity just fine.

    Any suggestions? I really like BP.
    My site is scorpioland.org btw.

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    If you would like to use Duo Security Login protection then Turn Off BPS Login Security. If you would like to use BPS Login Security then Turn Off Duo Security Login protection.

  3. Synthia
    Member
    Posted 1 year ago #

    I hadn't been observant enough to realize that the latest update to Bulletproof included login security. That's a good feature, but I only wish that it had two-step authentication since it conflicts. (Maybe in the future?? :-) )

    However, yes, I will disable that feature in order to use Duo Security. Thank you.

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    It is not a conflict. It is simply a matter of choosing which Login Security feature to use since they are both doing the same/similar thing. We will look at two-step authentication and see if this feature is worth adding. Thanks.

  5. Synthia
    Member
    Posted 1 year ago #

    Well, guess we will disagree on these being overlapping or similar services.

    Just to offer a different perspective for others considering these two apps:IMO, they address two distinct and different log in concerns.

    Duo Security (free version) only provides two-step authentication. It does not provide ANY of the login features (managing login attempts and lockouts) that Bulletproof provides.

    BP doesn't have 2-step. So, it's reasonable that someone would want to use both at the same time.

    I have other plugins that can do login monitoring/lockout services. So while BP as a whole is great and indispensable to me, the login services aren't. Multi-step authentication is much harder to find.

    Two-Step authentication gives me peace of mind because I know if someone guesses my real login credentials or gets through the regular login screen, they cannot access my dashboard unless I approve an access request via a Duo Security app on my wireless phone. That second layer of approval is comforting to me.

    That is all.

  6. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    If two-step authentication does it for ya then great!

    Ok let me try to explain this a little clearer. Both plugins are calling and using the same WordPress Login hooks on the WordPress authentication page because they are both doing the same/similar thing - processing WordPress authentication. 2 plugins cannot be using the same WordPress Login hooks on the authentication page at the same time because 1 would override the other.

    Here is an analogy that will hopefully make this whole thing crystal clear. You can only use 1 WordPress theme at a time because whichever WordPress Theme you choose will be hooking into WordPress and performing whatever functions that that Theme does. This is not the same as having Child Themes since Child Themes are treated as an instance of a Theme and not a main/primary Theme for the website.

  7. Synthia
    Member
    Posted 1 year ago #

    I just had the chance to log back in after being away and still am not able to do so despite turning off the Bulletproof login security features.

    So, the matter is not resolved but nevermind.

  8. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    To turn Off Login Security
    1. Select Turn Off Login Security.
    2. Click the Save Options button to save your new option.

  9. Synthia
    Member
    Posted 1 year ago #

    Yes, that's what I did before.

    AFter using Filezilla to temporarily delete Duo Security so I could log in, I did verify that Bulletproof Login SEcurity was indeed turned off. IT was. The settings are saved, but BPS is still blocking the two-step authentication.

    So I just had to deactivate it until things are working in harmony. I might see if I can find an older version of BPS before the recent update, although that is probably risky.

  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok I'll download the plugin and test it and see if something is going on. When BPS Login Security is turned off it should not be processing the authentication in any way so maybe there is another issue that is not obvious. Will post test results back here.

  11. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Hmm ok I don't get it. The setup steps say this..

    If you don't yet have a Duo account, sign up now for free at http: //www.duosecurity.com.

    So I click on the link and there is nowhere to sign up??? What am I supposed to do next? Do you have to contact them to ask for an account? Thanks.

  12. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Oh is this part of the setup procedure???

    Are you supposed to try and login and then they will call you? Is that what this means???

    2. We'll text or call you to complete your login.

  13. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I don't want to give out my phone number and I don't want them to call me. Is there another way to sign up???

  14. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    LOL oh never mind I get it. They need your phone number so that they can "program" it into their system. Ok I will look at the code of the plugin instead and see if the issue/problem is obvious or just disable the api to test it. ;)

  15. Synthia
    Member
    Posted 1 year ago #

    hey ... you seemed to have figured out how to sign up.. but just fyi

    you have to click on the pricing page and then use the "create my account" feature to sign up for the free account. And yes you have to give them a number (but you can always remove it or give a bogus one later once you sign in)

    https://www.duosecurity.com/pricing

  16. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yeah I don't want to give them my number or sign up so I am recoding the API code in this plugin to bypass the API check just to get it to function for testing. ;)

  17. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok I see what the issue is. Since Duo-two factor does not have an On or Off setting/option/button then it is always on no matter what. BPS has some standard WordPress authentication code at the bottom of the /includes/login-security.php file that should have been wrapped in a condition, but it was not so that needs to be fixed ASAP.

    Duo is using a standard remove action to remove WP Authentication, but this little snippet of code at the bottom of the login-security.php page is still being processed because it is not wrapped in a condition.

    /*
    ****************************************************
    // WordPress Standard Authentication Processing Code
    ****************************************************
    */
    // The new condition that needs to be added
    if ( $BPSoptions['bps_login_security_OnOff'] == 'On' && $BPSoptions['bps_login_security_logging'] == 'logAll' || $BPSoptions['bps_login_security_logging'] == 'logLockouts') {
    ...
    ...
    ...
    // closing tag here
    }
  18. Synthia
    Member
    Posted 1 year ago #

    OK. Thanks for figuring it out.

    I'll get a friend to help me add this condition/code into that .php file.

  19. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Thanks for catching this boo boo. We will release a new BPS version tomorrow ASAP with this new code. ;)

  20. Synthia
    Member
    Posted 1 year ago #

    Awesome! :-)

  21. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    BPS .48.5 has been released and the conditional wraps have been added. Found another boo boo where BPS Login Security would override other Login Security plugins. oops it happens. Thanks again for catching this. ;)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.