Lockout feature not work

  • yann vangampelaere

    (@yann-vangampelaere)


    5 years, 2 months ago

    Hello,

    I’ve create new website yesterday, and i can see this morning the feature lockout not work.

    When i try to login with bad password, it’s register to log, if i continue and reach the threshold, i can continue try different password and the lockout not work. But, in log i can see “User Lockout: John”. I can continue to visite the website and try to connect. If i set good password i’m connected.

    So it’s possible to anybody to attack my website in brute force.

    Wordpress version : 5.6
    Itheme security : 7.9.0

    My question : It’s a bug ? Or i dont set correctly my configuration ?

Viewing 13 replies - 1 through 13 (of 13 total)
  • Thread Starter yann vangampelaere

    (@yann-vangampelaere)

    5 years, 2 months ago

    For reproduce :

    1) step 1, lock user :
    – try so many password on one specific user

    2) step 2, check lockout user in log and verify to period of lockup (like 15min)

    3) step 3, try to connect with good password… this step should not be working before 15minutes…

    Note for dev : I’m connected on same IP on other navigator to admin.

    nlpro

    (@nlpro)

    5 years, 2 months ago

    Hi,

    The first thing that comes to my mind is that this is probably happening because the (client) IP is whitelisted (or if you prefer more inclusive terminology, added to the Authorized Hosts List).

    The way it works is that any client that logs into the WordPress Dashboard as a user with the Administrator role, is automatically whitelisted by the iTSec plugin for 24 hours.

    Try it from an IP that has not yet logged into the WP Dashboard.

    To prevent any confusion, I’m not iThemes.

    • This reply was modified 5 years, 2 months ago by nlpro.
    • This reply was modified 5 years, 2 months ago by nlpro.
    nlpro

    (@nlpro)

    5 years, 2 months ago

    @yann-vangampelaere

    Or temporarily add the line below to the wp-config.php file:

    define( 'ITSEC_DISABLE_TEMP_WHITELIST', true );

    … and retest with the same (whitelisted) client IP.

    To prevent any confusion, I’m not iThemes.

    PS: After checking the lockout code I can confirm that for (temporarily) whitelisted IP’s, executing any type of lockout is aborted.

    @timothyblynjacobs

    In line with previous changes for more inclusive terminology in the iTSec plugin please change the ITSEC_DISABLE_TEMP_WHITELIST constant into something like:

    ITSEC_DISABLE_TEMP_AUTH_HOSTS_LIST

    Plugin Contributor Timothy Jacobs

    (@timothyblynjacobs)

    5 years, 2 months ago

    @nlpro Good call, will make sure that get’s updated in the next release.

    nlpro

    (@nlpro)

    5 years, 2 months ago

    … and add it to the list of defines in the core/admin-pages/page-debug.php file. 😉

    nlpro

    (@nlpro)

    5 years ago

    @timothyblynjacobs

    Bump … 😉

    Plugin Contributor Timothy Jacobs

    (@timothyblynjacobs)

    5 years ago

    Hey @nlpro! We’re working on a larger release right now, the release last week was just to fix those issues.

    The new release tentatively includes a UI setting to configure the temp auth listing. If that setting doesn’t make it, then we’ll update the lockout code to also support those new constant names.

    nlpro

    (@nlpro)

    5 years ago

    @timothyblynjacobs

    Ah, ok that explains 😉 Thanks for letting me know.

    I probably tagged it incorrectly (@timothybjacobs) but I would appreciate any input you can provide regarding this topic.

    nlpro

    (@nlpro)

    4 years, 10 months ago

    @timothyblynjacobs

    Ok, so the UI setting made it into the 7.0(.1) release.

    However I noticed the ITSEC_DISABLE_TEMP_WHITELIST constant is still being used in the lockout code (though in a new function named is_temp_authorization_enabled()).
    Is that done for backwards compatibility ?

    And will the constant be deprecated somewhere in the future ?

    Plugin Contributor Timothy Jacobs

    (@timothyblynjacobs)

    4 years, 10 months ago

    Yep, the ITSEC_DISABLE_TEMP_WHITELIST is still supported. There aren’t any plans currently to deprecate/remove it. But it may happen in the future, if it does, we’d set the setting to whatever value the constant is defined as.

    That being said, the setting is the recommended way to configure that option.

    nlpro

    (@nlpro)

    4 years, 10 months ago

    @timothyblynjacobs

    Ok, I see.

    So in that case please also add it to the list of constants in the core/admin-pages/page-debug.php file (if not already) 😉

    nlpro

    (@nlpro)

    4 years, 10 months ago

    @timothyblynjacobs

    … and the brand new ITSEC_FORCE_UNINSTALL constant 😉

    Plugin Contributor Timothy Jacobs

    (@timothyblynjacobs)

    4 years, 10 months ago

    Nice catch @nlpro, thanks. We’ll do a sweep of the supported constants and make sure the debug page gets updated.

Viewing 13 replies - 1 through 13 (of 13 total)

The topic ‘Lockout feature not work’ is closed to new replies.