Better implementation/compatibility with wp_login_url()

Resolved Taylor McCaslin
(@taylor4484)

10 years, 6 months ago

I’m running a multisite on WP Engine, and they modify the wp-login url to do some custom security work.

I’ve been chatting with their technical support and they have a suggestion for making this plugin more general for better compatibility.

I have tested their suggestions on a few installs both WPEngine and non, both multisite and single site, and it does not affect the functionality of the plugin, only extends compatibility.

On line 76 of duo_wordpress.php, trac link:
http://plugins.trac.wordpress.org/browser/duo-wordpress/trunk/duo_wordpress.php#L76

change this line:
'post_action': '<?php echo wp_login_url() ?>',
to this:
'post_action': '<?php echo site_url( 'wp-login.php', 'login_post' ) ?>',

Here’s the Codex link for site_url:
http://codex.wordpress.org/Function_Reference/site_url

For example WPEngine changes the login_post scheme to append some parameters their security system needs to the url like so:
http://www.mywordpresssite.com/wp-login?WPE-login=mywpengineaccountname
These parameters were not being called when using wp_login_url()

http://wordpress.org/plugins/duo-wordpress/

Viewing 6 replies - 1 through 6 (of 6 total)

Jason Stallings
(@octalmage)

10 years, 6 months ago

This is a common method used to help fight against bot brute force attempts and will help this plugin be more compatible with other security plugins.

Thread Starter Taylor McCaslin
(@taylor4484)

10 years, 5 months ago

I appreciate this making it into the new release, however the latest release breaks duo two again for multisite on WPEngine.
On line 76 in Duotwo.php you have:
'post_action': '<?php echo esc_url(network_site_url('wp-login.php', 'login_post')) ?>',

This works for me:
'post_action': '<?php echo esc_url(site_url('wp-login.php', 'login_post')) ?>',

http://codex.wordpress.org/Function_Reference/site_url
I see that the codex suggests network_site_url, but using network_site_url causes a “no data loaded error”, the same issue as earlier in this ticket but changing it back to site_url allows it to work as intended.

Not sure if this could be related to the changes 3.7 made to Multisite, but maybe?

Anyway this is what worked for me. Maybe @octaimage (support guy at WPEngine) can weigh in here!

Plugin Author Duo Security
(@duosecurity)

10 years, 5 months ago

Thanks for all the great feedback around this issue. The latest version of our plugin (1.7), released 10/30/2013 contains a fix for this specific issue.

Jonny Harris
(@spacedmonkey)

10 years, 2 months ago

@taylor4484 @octalmage

I had a similar issue in my multisite, using 3.8 and setup in sub domain config. The above site_url fix worked for me. Not sure why duo are using network_site_url as site_url works fine.

I have detailed my issue better on github and sent them a pull request. Hopefully Duo can merge the change…

Thread Starter Taylor McCaslin
(@taylor4484)

10 years, 2 months ago

@spacedmoney, I’m having the same problem, I just go in and change the plugin to use site_url any time there is an update.

Are you using WPEngine?

Jonny Harris
(@spacedmonkey)

10 years, 2 months ago

I am not using WPEngine, I am using the multisite in sub domain config.

I have submitted the fix to them, up to @duosecurity to work on it now.