[Plugin: Better WP Security] Improve lockout error messages

  • Resolved Ian Dunn

    (@iandunn)


    11 years, 10 months ago

    ./inc/setup.php and /inc/secure.php both have situations where they die() and only output the word “error.” This makes it very hard to track down. It took me 3 hours to figure out why a client couldn’t connect to his WP installation. It ended up being because of the 404 lockout setting. It was locking him out even though he wasn’t doing anything out of the ordinary, and the error message left no clues as to what was happening.

    I understand if you don’t want to say something like, “Better WP Security has locked you out because of too many 404 requests”, because that would give attackers information you don’t want them to have. But you should at least give some kind of clue as to what’s going on. At the very least, say something like “error code #29853”, where “#29853” is just some imaginary number. That would at least let people grep their httpdocs directory to find out what file is generating the error.

    http://wordpress.org/extend/plugins/better-wp-security/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Bit51 (part of the iThemes family)

    (@bit51)

    11 years, 10 months ago

    Ian,

    The lockout should be emailing the site owner of the lockout. The message is something I’ve thought about a lot over time and currently I have no plans for changing it instead relying on the emails to report the message.

    magnumcreative

    (@magnumcreative)

    11 years, 3 months ago

    Is there is an area to change the error message and if so where is it located?

    The main problem is users. A user may never check their email at time of lockout, that email could go to spam or be blocked entirely by the mail server itself thus never arriving. To have a simple message saying “Error, you have been locked out of the site due to too many bad login attempts” would save us a lot of trouble.

    Another aspect, one of our clients has a lot of staff who edit the site. We implement very secure passwords with these accounts which in turn means they always mess them up which results in the staff getting locked out. The staff are pretty basic in their understanding of technology and the error msg always freaks them out and we get countless emails in all caps saying “HELP WEBSITE IS DOWN OUR CUSTOMERS NEED TO CONTACT US, FIX THIS!!! WHY DOES IT KEEP HAPPENING AND ENSURE IT DOESN’T HAPPEN AGAIN!!!.

    No matter how we explain why they see the error it goes in one ear and out the other since it’s just over their heads or they don’t care.

    A message would help immensely 🙂

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Plugin: Better WP Security] Improve lockout error messages’ is closed to new replies.