email to notify user failed logins causing IP lockout

Resolved mikele3
(@mikele3)

7 years, 8 months ago

Hello.

I have a website where users must login to access their private content.

Since I installed All In One WP Security and enabled the login lockdown feature, I noticed that users very often mistake their password enough times to get temporarily (60 min. in my case) locked out.

The issue I am having is that they don’t get to know that their IP is blocked and keep uselessly trying to login.
Is there a setting in the admin panel for an email to be sent to the user whose password was wrong enough times to generate a lockout?
Or a hook I can use in code to send an email of this kind?

Or a setting (or hook) to simply display a warning (i.e.: IP locked out for 1h) in the login form?

thank you in advance for your help.

https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

Viewing 15 replies - 1 through 15 (of 16 total)

1 2 →

Plugin Contributor mbrsolution
(@mbrsolution)

7 years, 8 months ago

Hi, do you have the following enabled Allow Unlock Requests? This feature would help the user to unlock their account.

Thread Starter mikele3
(@mikele3)

7 years, 8 months ago

how is the “Allow Unlock Requests” feature supposed to work?

I enabled it, then opened a different browser and failed 3 times logging in from a dummy account I have made for testing purpose.

In the browser where I was logged in as admin I could see the IP address in the blocked list.
I also received the email notifying me that the IP was locked because of failed login attempt from my dummy account.
But I have not seen unlock request link, nor received it in the dummy account’s email.

If that counts, the login form is a custom implementation in the front end of the website.

Plugin Contributor mbrsolution
(@mbrsolution)

7 years, 8 months ago

Hi, I just carried out a test in my testing platform. The Allow Unlock Requests adds a button on top of the log in button. This happens after you receive the IP lock out error message.

Once you click on the unlock button you will see the following message.

You are here because you have been locked out due to too many incorrect login attempts.

Please enter your email address and you will receive an email with instructions on how to unlock yourself.

Then you have to enter your e-mail address to receive your unlocking instructions.

If the above does not happen in your site, then I suspect that one of your plugins might be conflicting with this process. Or if it is not a plugin perhaps it is your theme.

Regards

Thread Starter mikele3
(@mikele3)

7 years, 8 months ago

I see, thank you for taking the time to explain in details.

I do not see all that.
Definitively either the plugin I use (Profile Builder Pro) or the themes does prevent it from happening… but it is the feature I was looking for; hopefully I’ll figure out a way to make it work.

Thank you again.

Thread Starter mikele3
(@mikele3)

7 years, 8 months ago

I have tested it on another website where I use no custom login and I could see how it works.

I would really like to have it working on my other website, the one that uses Profile Builder Pro to manage login and profile forms.

I had a quick look to the files inside the all-in-one-wp-security-and-firewall plugin folder.
Any advice on where to start digging?
Is the DIV containing the Unlock Request button added to the login form through a WP hook or via Javascript?
May I ask which file has the code that generates the button and the two hidden input values?
Česlav Przywara
(@chesio)

7 years, 8 months ago
Hi,

Check the classes/wp-security-user-login.php file.

There’s a AIOWPSecurity_User_Login::insert_unlock_request_form() method that will produce a “Request Unlock” button. One problem with this method is that it is not static (it safely could be though), so will you need AIOWPSecurity_User_Login instance to be able to hook it.

I don’t know Profile Builder Pro, so I’m not sure what’s the proper place to hook it. In the AIOWPSF plugin, it is hooked twice (see AIOWPSecurity_User_Login::aiowp_auth_login() method in the same file):
```
add_action('login_form', array(&$this, 'insert_unlock_request_form'));
add_action('woocommerce_login_form', array(&$this, 'insert_unlock_request_form'));
```
Hope this helps,
Česlav
Thread Starter mikele3
(@mikele3)

7 years, 8 months ago

Česlav, thank you so much!

Thanks to your input, I managed to quickly hack together a solution that gives me the Unlock request button on my custom login page.
The whole Unlocking process does work as well.

Now there are a few things I want to customize:
send_unlock_request_email .. both subject and body .. is there a way to do that without touching the plugin files?

I would like to have the “submit email for unlocking request” form on a page of my own (like mydomain.com/unlock_request/ , not the wp login url …
is there a function that outputs that form, similar to what AIOWPSecurity_User_Login::insert_unlock_request_form() does for the button?
Česlav Przywara
(@chesio)

7 years, 8 months ago
Hi,

send_unlock_request_email .. both subject and body .. is there a way to do that without touching the plugin files?

Have a look on send_unlock_request_email() method in AIOWPSecurity_User_Login class (still the same file). Your only chance is to provide alternative plugin translation strings (ie. load your own translation file for the plugin with those strings adapted).

I would like to have the “submit email for unlocking request” form on a page of my own (like mydomain.com/unlock_request/ , not the wp login url …
is there a function that outputs that form, similar to what AIOWPSecurity_User_Login::insert_unlock_request_form() does for the button?

The form is rendered by other-includes/wp-security-unlock-request.php file, so you can try to include it. Note that this file renders entire HTML page, so you have to include it before WP sends any output. This is how it’s done in the plugin (see classes/wp-security-general-init-tasks.php file):
```
//For user unlock request feature
if(isset($_POST['aiowps_unlock_request']) || isset($_POST['aiowps_wp_submit_unlock_request'])){
    nocache_headers();
    remove_action('wp_head','head_addons',7);
    include_once(AIO_WP_SECURITY_PATH.'/other-includes/wp-security-unlock-request.php');
    exit();
}
```
Alternatively, you may try to code your alternative to this file (as a shortcode or whatever works for you) and just make sure to call the necessary static methods of the plugin. This should work too.

Greets,
Česlav
Thread Starter mikele3
(@mikele3)

7 years, 7 months ago
thank you again Česlav.

using your hints I succeeded having the “Request Unlock ” button in my custom login page.
also I have the whole unlock request process happening in : mydomain.com/unlock_request/

my website is multilingual, through the use of the WPML plugin.
with that said, the less elegant part of my implementation is having to work around some messages that are hard coded and not available for translation in the other-includes/wp-security-unlock-request.php file:
```
"You are here because you have been locked out due to too many incorrect login attempts.";
"Please enter your email address and you will receive an email with instructions on how to unlock yourself.";
"Send Unlock Request"
"An email has been sent to you with the unlock instructions."
```
not a big deal.

bigger problem for me (as it might/will break with updates) is with:
```
static function send_unlock_request_email($email, $unlock_link)
```
I had to comment that out and rewrite my version.

my issues are:
```
$subject = '['.get_option('siteurl').'] '. __('Unlock Request Notification','all-in-one-wp-security-and-firewall');
```
get_option(‘siteurl’) returns the url to the WP installation not the website’s base url
even then, I would have preferred the website name… I changed that to:
```
$subject = get_bloginfo( 'name' ) . '  ' . __('Unlock Request Notification','all-in-one-wp-security-and-firewall');
```
and I had to broke down into smaller parts $email_msg in order to be able to provide translations through WPML.
this:
```
$email_msg .= __('You have requested for the account with email address '.$email.' to be unlocked. Please click the link below to unlock your account:','all-in-one-wp-security-and-firewall')."\n";
```
would have been made available for translation as : “You have requested for the account with email address myownemail@mydomain.com to be unlocked. Please click the link below to unlock your account:”

so I did rewrite it as:
```
$email_msg .= __('You have requested for the account with email address ','all-in-one-wp-security-and-firewall');
$email_msg .= $email;
$email_msg .= __(' to be unlocked. Please click the link below to unlock your account:','all-in-one-wp-security-and-firewall')."\n";
```
I just thought I would mention it just in case….
Thread Starter mikele3
(@mikele3)

7 years, 4 months ago

Hi.
today I updated to Version 4.2.4 and now I am getting this error:

Fatal error: Call to undefined method AIOWPSecurity_User_Login::insert_unlock_request_form() in ....

I was using it in my custom login page to output the “Unlock Request” button.

How can I do that now?

Česlav Przywara
(@chesio)

7 years, 4 months ago

Hi,

The way plugin inserts the unlock request form changed, so this function has been renamed to AIOWPSecurity_User_Login::get_unlock_request_form(). As the name suggests, it now doesn’t echo the form, but returns HTML string with the form instead, so you have to echo the result yourself.

Also, the form is now a true form: <form> and </form> tags are included in returned string (it wasn’t the case before).

Sorry for breaking your implementation!

Cheers,
Česlav

vasseurb
(@vasseurb)

7 years, 4 months ago

What is the setting so that users DO NOT get an email when someone tries to login with their username locking them out. Some of our sites get a lot of attempts and users with common usernames are getting notified several times a week.
Thread Starter mikele3
(@mikele3)

7 years, 4 months ago
Hi Česlav, thank you for the quick reply.

I replaced the function in my script and added echo in front of it; works perfectly.

I still have to patch the plugin on every update to fix my issue with the email that is sent after the unlock request…. do you think the small changes I suggest will ever be considered in the next updates?
(copy and paste from above)

bigger problem for me (as it might/will break with updates) is with:

static function send_unlock_request_email($email, $unlock_link)
I had to comment that out and rewrite my version.

my issues are:

$subject = '['.get_option('siteurl').'] '. __('Unlock Request Notification','all-in-one-wp-security-and-firewall');

get_option(‘siteurl’) returns the url to the WP installation not the website’s base url
even then, I would have preferred the website name… I changed that to:

$subject = get_bloginfo( 'name' ) . ' ' . __('Unlock Request Notification','all-in-one-wp-security-and-firewall');

and I had to broke down into smaller parts $email_msg in order to be able to provide translations through WPML.
this:

$email_msg .= __('You have requested for the account with email address '.$email.' to be unlocked. Please click the link below to unlock your account:','all-in-one-wp-security-and-firewall')."\n";
would have been made available for translation as : “You have requested for the account with email address myownemail@mydomain.com to be unlocked. Please click the link below to unlock your account:”

so I did rewrite it as:
```
$email_msg .= __('You have requested for the account with email address ','all-in-one-wp-security-and-firewall');
$email_msg .= $email;
$email_msg .= __(' to be unlocked. Please click the link below to unlock your account:','all-in-one-wp-security-and-firewall')."\n";
```
Česlav Przywara
(@chesio)

7 years, 4 months ago

Hi @mikele3,

Actually the second problem should be resolved already, see the current code: https://github.com/Arsenal21/all-in-one-wordpress-security/blob/master/all-in-one-wp-security/classes/wp-security-user-login.php#L372-L376

You should have the following string available for translation: “You have requested for the account with email address %s to be unlocked. Please click the link below to unlock your account:” – the “%s” part is placeholder for email address that is injected via call to sprintf.

I’ll have a look on the subject-line problem.

Cheers,
Česlav

Česlav Przywara
(@chesio)

7 years, 4 months ago

@vasseurb Please, start your own thread.