Duo Two-Factor Authentication
[resolved] Better implementation/compatibility with wp_login_url() (7 posts)

  1. Taylor4484
    Posted 2 years ago #

    I'm running a multisite on WP Engine, and they modify the wp-login url to do some custom security work.

    I've been chatting with their technical support and they have a suggestion for making this plugin more general for better compatibility.

    I have tested their suggestions on a few installs both WPEngine and non, both multisite and single site, and it does not affect the functionality of the plugin, only extends compatibility.

    On line 76 of duo_wordpress.php, trac link:

    change this line:
    'post_action': '<?php echo wp_login_url() ?>',
    to this:
    'post_action': '<?php echo site_url( 'wp-login.php', 'login_post' ) ?>',

    Here's the Codex link for site_url:

    For example WPEngine changes the login_post scheme to append some parameters their security system needs to the url like so:
    These parameters were not being called when using wp_login_url()


  2. Jason Stallings
    Posted 2 years ago #

    This is a common method used to help fight against bot brute force attempts and will help this plugin be more compatible with other security plugins.

  3. Taylor4484
    Posted 2 years ago #

    I appreciate this making it into the new release, however the latest release breaks duo two again for multisite on WPEngine.
    On line 76 in Duotwo.php you have:
    'post_action': '<?php echo esc_url(network_site_url('wp-login.php', 'login_post')) ?>',

    This works for me:
    'post_action': '<?php echo esc_url(site_url('wp-login.php', 'login_post')) ?>',

    I see that the codex suggests network_site_url, but using network_site_url causes a "no data loaded error", the same issue as earlier in this ticket but changing it back to site_url allows it to work as intended.

    Not sure if this could be related to the changes 3.7 made to Multisite, but maybe?

    Anyway this is what worked for me. Maybe @octaimage (support guy at WPEngine) can weigh in here!

  4. Duo Security
    Plugin Author

    Posted 2 years ago #

    Thanks for all the great feedback around this issue. The latest version of our plugin (1.7), released 10/30/2013 contains a fix for this specific issue.

  5. Spacedmonkey
    Posted 2 years ago #

    @Taylor4484 @octalmage

    I had a similar issue in my multisite, using 3.8 and setup in sub domain config. The above site_url fix worked for me. Not sure why duo are using network_site_url as site_url works fine.

    I have detailed my issue better on github and sent them a pull request. Hopefully Duo can merge the change...

  6. Taylor4484
    Posted 2 years ago #

    @spacedmoney, I'm having the same problem, I just go in and change the plugin to use site_url any time there is an update.

    Are you using WPEngine?

  7. Spacedmonkey
    Posted 2 years ago #

    I am not using WPEngine, I am using the multisite in sub domain config.

    I have submitted the fix to them, up to @duosecurity to work on it now.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Duo Two-Factor Authentication
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic