Support » Plugin: Login Security Solution » [Plugin: Login Security Solution] NOT RECOMMENDED

Viewing 15 replies - 1 through 15 (of 20 total)
  • Plugin Author Daniel Convissor

    (@convissor)

    Hi:

    Would you be so kind as to explain the scenario under which it doesn’t work, please?

    Thanks,

    –Dan

    Thread Starter P3air

    (@p3air)

    sorry – no
    it would give any attacker an architectural background of our site.

    Despite all settings attacker were still able to bounce off 80+ tries before we had to interfere manually. We think these attacks are cookie/jquery related since timing is very consistent and precise.

    Plugin Author Daniel Convissor

    (@convissor)

    Hi:

    I was not asking for specific details about your site.

    I’m looking for an outline of why you think LSS didn’t work. Your saying the attackers were able to “bounce off 80+ tries before we had to interfere manually” is a start.

    How many minutes did it take them to make those hits?

    Thanks,

    –Dan

    Plugin Author Daniel Convissor

    (@convissor)

    Hi P3air:

    It seems you misunderstand what this plugin does. An explanation of the matter has been added to the FAQ, entitled “I just got hit with 500 failed logins! Why isn’t this plugin working?!?” Check it out.

    Just because something doesn’t work the way you want it to doesn’t mean it doesn’t work. And it’s certainly a lousy reason for doling out trash talk and one star ratings.

    Thanks,

    –Dan

    Plugin Author Daniel Convissor

    (@convissor)

    The FAQ has been updated with a section entitled “Will you provide lock outs / blocks in addition to slow downs?” It explains how this plugin works and how it actually blocks attackers.

    Gotta love folks like P3air who shoot first, don’t really understand, and don’t even ask questions later. Nice drive by P3air!

    Thread Starter P3air

    (@p3air)

    it’s a nice little plugin and who’s using it and is happy with it, so be it. BUT: your plugin does NOT protect against BRUTE force attacks – just because you create a Q&A doesn’t make it suitable –

    mdSuess we hate to rain on to your parade, but you need to put your Kool-Aid aside and grow up. You have zero understanding what the real problem with this plugin is.

    So, to give you guys a quick heads-up: Most of brute force attacks are jQuery driven: every 2 sec. a bounce against login/database. These attacks do not trigger the wp-login.php – they come direct … Unless the hacker is an idiot and types in the password 3256 times into wp-login.php and hits enter – your plugin will not recognize the attack.

    That may give you a clue where your fundamental flaw in your plugin is.

    As we said in the beginning; It’s a cool little plugin and who’s using it and feels protected with it, great – if you run a serious site, don’t use it. It gives you a false sense of protection.

    Our $0.02 – PEACE

    You must be new to open source etiquette P3air. You drop your load in a topic and don’t provide any concrete details?

    Please.

    @p3air: Limit Login Attempts plugin protects good from brute-force. It limits login tries for specific number and this number is not enough to brute the password.

    “+1” for “to rain on to your parade” quote 🙂

    Plugin Author Daniel Convissor

    (@convissor)

    P3air:

    Most of brute force attacks are jQuery driven: every 2 sec. a bounce against login/database.

    Thank you for finally explaining your scenario. Can you please provide a sample payload and the path (URI without domain) of such a request?

    Thanks.

    Plugin Author Daniel Convissor

    (@convissor)

    Hi P3air:

    The reason I asked for a proof of concept is because I’m pretty sure this plugin already handles the scenario you’re mentioning. The Login Security Solution checks all WordPress’ authentication hooks, not just activity in wp-login.php.

    It’d be great if you were actually interested in improving security by participating in the open source community.

    You may say I’m a dreamer
    But I’m not the only one
    I hope someday you’ll join us…

    @p3air: I find your comments here really odd.

    You downloaded a free plugin as you hoped it would do something for you.

    You decided (rightly or wrongly) that it doesn’t do what you wanted it to do.

    You then come here and say “it doesn’t work” without explaining in any way how you came to that conclusion.

    The author then offers to fix the plugin so that it does work for you, but you just ignore that.

    So, did you want a solution that works? Or do you just want to complain about something that you got for free?

    Very odd.

    Everyone here is concerned about web security. There is no such thing as complete security, other than turning your website off. The goal of open source (such as this plugin) is that we work together to make the security as good as possible. We invite you to be part of that solution. Please provide the author with some details that he can actually use to identify what you believe to be the problem so that he can then fix it.

    Noel

    @p3air: How about contributing an improvement to the plugin code to protect against the scenario your were in?
    That is how open-source works. You improve the code for your needs and thereby help others in a similar situation.

    If you just think some plugin works in a certain way it not automagically does.

    Thread Starter P3air

    (@p3air)

    Our contributions to open-source are that we risk to test plugins in a LIFE environment and give limited feedback.

    By outing us in using certain plugins AND contributing even in the smallest amount of feedback we have a significant increase in hacking attacks towards our main site, i.e yesterday alone we had 60.000+ hits with brute force. In other words: Vicious wp coder are monitoring very closely forums and posts like this to skim off any useful and valuable information. We do not intend to make their ‘trophy list’.

    Plugins which we SUCCESSFULLY use over a certain period of time will receive good reviews and donations.

    To all who are not satisfied with the details our feedback we are sorry, but that’s all what you get.

    We’ve found a free plugin which fits our needs. It is successful implemented since several months. To respect the effort of the author of this particular plugin we won’t mention it here.

    Good luck guys

    Plugin Author Daniel Convissor

    (@convissor)

    Hi P3air: Please email me directly at danielc@analysisandsolutions.com with any specifics you don’t want the general public to see. That’s how all open source projects handle sensitive data regarding security problems. Thanks.

Viewing 15 replies - 1 through 15 (of 20 total)
  • The topic ‘[Plugin: Login Security Solution] NOT RECOMMENDED’ is closed to new replies.