Support » Plugin: All In One WP Security & Firewall » email to notify user failed logins causing IP lockout

Viewing 15 replies - 1 through 15 (of 16 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, do you have the following enabled Allow Unlock Requests? This feature would help the user to unlock their account.

    how is the “Allow Unlock Requests” feature supposed to work?

    I enabled it, then opened a different browser and failed 3 times logging in from a dummy account I have made for testing purpose.

    In the browser where I was logged in as admin I could see the IP address in the blocked list.
    I also received the email notifying me that the IP was locked because of failed login attempt from my dummy account.
    But I have not seen unlock request link, nor received it in the dummy account’s email.

    If that counts, the login form is a custom implementation in the front end of the website.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, I just carried out a test in my testing platform. The Allow Unlock Requests adds a button on top of the log in button. This happens after you receive the IP lock out error message.

    Once you click on the unlock button you will see the following message.

    You are here because you have been locked out due to too many incorrect login attempts.

    Please enter your email address and you will receive an email with instructions on how to unlock yourself.

    Then you have to enter your e-mail address to receive your unlocking instructions.

    If the above does not happen in your site, then I suspect that one of your plugins might be conflicting with this process. Or if it is not a plugin perhaps it is your theme.

    Regards

    I see, thank you for taking the time to explain in details.

    I do not see all that.
    Definitively either the plugin I use (Profile Builder Pro) or the themes does prevent it from happening… but it is the feature I was looking for; hopefully I’ll figure out a way to make it work.

    Thank you again.

    I have tested it on another website where I use no custom login and I could see how it works.

    I would really like to have it working on my other website, the one that uses Profile Builder Pro to manage login and profile forms.

    I had a quick look to the files inside the all-in-one-wp-security-and-firewall plugin folder.
    Any advice on where to start digging?
    Is the DIV containing the Unlock Request button added to the login form through a WP hook or via Javascript?
    May I ask which file has the code that generates the button and the two hidden input values?

    Plugin Contributor chesio

    (@chesio)

    Hi,

    Check the classes/wp-security-user-login.php file.

    There’s a AIOWPSecurity_User_Login::insert_unlock_request_form() method that will produce a “Request Unlock” button. One problem with this method is that it is not static (it safely could be though), so will you need AIOWPSecurity_User_Login instance to be able to hook it.

    I don’t know Profile Builder Pro, so I’m not sure what’s the proper place to hook it. In the AIOWPSF plugin, it is hooked twice (see AIOWPSecurity_User_Login::aiowp_auth_login() method in the same file):

    add_action('login_form', array(&$this, 'insert_unlock_request_form'));
    add_action('woocommerce_login_form', array(&$this, 'insert_unlock_request_form'));
    

    Hope this helps,
    Česlav

    Česlav, thank you so much!

    Thanks to your input, I managed to quickly hack together a solution that gives me the Unlock request button on my custom login page.
    The whole Unlocking process does work as well.

    Now there are a few things I want to customize:
    send_unlock_request_email .. both subject and body .. is there a way to do that without touching the plugin files?

    I would like to have the “submit email for unlocking request” form on a page of my own (like mydomain.com/unlock_request/ , not the wp login url …
    is there a function that outputs that form, similar to what AIOWPSecurity_User_Login::insert_unlock_request_form() does for the button?

    Plugin Contributor chesio

    (@chesio)

    Hi,

    send_unlock_request_email .. both subject and body .. is there a way to do that without touching the plugin files?

    Have a look on send_unlock_request_email() method in AIOWPSecurity_User_Login class (still the same file). Your only chance is to provide alternative plugin translation strings (ie. load your own translation file for the plugin with those strings adapted).

    I would like to have the “submit email for unlocking request” form on a page of my own (like mydomain.com/unlock_request/ , not the wp login url …
    is there a function that outputs that form, similar to what AIOWPSecurity_User_Login::insert_unlock_request_form() does for the button?

    The form is rendered by other-includes/wp-security-unlock-request.php file, so you can try to include it. Note that this file renders entire HTML page, so you have to include it before WP sends any output. This is how it’s done in the plugin (see classes/wp-security-general-init-tasks.php file):

    //For user unlock request feature
    if(isset($_POST['aiowps_unlock_request']) || isset($_POST['aiowps_wp_submit_unlock_request'])){
        nocache_headers();
        remove_action('wp_head','head_addons',7);
        include_once(AIO_WP_SECURITY_PATH.'/other-includes/wp-security-unlock-request.php');
        exit();
    }
    

    Alternatively, you may try to code your alternative to this file (as a shortcode or whatever works for you) and just make sure to call the necessary static methods of the plugin. This should work too.

    Greets,
    Česlav

    thank you again Česlav.

    using your hints I succeeded having the “Request Unlock ” button in my custom login page.
    also I have the whole unlock request process happening in : mydomain.com/unlock_request/

    my website is multilingual, through the use of the WPML plugin.
    with that said, the less elegant part of my implementation is having to work around some messages that are hard coded and not available for translation in the other-includes/wp-security-unlock-request.php file:

    "You are here because you have been locked out due to too many incorrect login attempts.";
    "Please enter your email address and you will receive an email with instructions on how to unlock yourself.";
    "Send Unlock Request"
    "An email has been sent to you with the unlock instructions."

    not a big deal.

    bigger problem for me (as it might/will break with updates) is with:

    static function send_unlock_request_email($email, $unlock_link)

    I had to comment that out and rewrite my version.

    my issues are:

    $subject = '['.get_option('siteurl').'] '. __('Unlock Request Notification','all-in-one-wp-security-and-firewall');

    get_option(‘siteurl’) returns the url to the WP installation not the website’s base url
    even then, I would have preferred the website name… I changed that to:

    $subject = get_bloginfo( 'name' ) . '  ' . __('Unlock Request Notification','all-in-one-wp-security-and-firewall');

    and I had to broke down into smaller parts $email_msg in order to be able to provide translations through WPML.
    this:

    $email_msg .= __('You have requested for the account with email address '.$email.' to be unlocked. Please click the link below to unlock your account:','all-in-one-wp-security-and-firewall')."\n";

    would have been made available for translation as : “You have requested for the account with email address myownemail@mydomain.com to be unlocked. Please click the link below to unlock your account:”

    so I did rewrite it as:

    $email_msg .= __('You have requested for the account with email address ','all-in-one-wp-security-and-firewall');
    $email_msg .= $email;
    $email_msg .= __(' to be unlocked. Please click the link below to unlock your account:','all-in-one-wp-security-and-firewall')."\n";

    I just thought I would mention it just in case….

    Hi.
    today I updated to Version 4.2.4 and now I am getting this error:

    Fatal error: Call to undefined method AIOWPSecurity_User_Login::insert_unlock_request_form() in ....

    I was using it in my custom login page to output the “Unlock Request” button.

    How can I do that now?

    Plugin Contributor chesio

    (@chesio)

    Hi,

    The way plugin inserts the unlock request form changed, so this function has been renamed to AIOWPSecurity_User_Login::get_unlock_request_form(). As the name suggests, it now doesn’t echo the form, but returns HTML string with the form instead, so you have to echo the result yourself.

    Also, the form is now a true form: <form> and </form> tags are included in returned string (it wasn’t the case before).

    Sorry for breaking your implementation!

    Cheers,
    Česlav

    What is the setting so that users DO NOT get an email when someone tries to login with their username locking them out. Some of our sites get a lot of attempts and users with common usernames are getting notified several times a week.

    Hi Česlav, thank you for the quick reply.

    I replaced the function in my script and added echo in front of it; works perfectly.

    I still have to patch the plugin on every update to fix my issue with the email that is sent after the unlock request…. do you think the small changes I suggest will ever be considered in the next updates?
    (copy and paste from above)

    bigger problem for me (as it might/will break with updates) is with:

    static function send_unlock_request_email($email, $unlock_link)
    I had to comment that out and rewrite my version.

    my issues are:

    $subject = '['.get_option('siteurl').'] '. __('Unlock Request Notification','all-in-one-wp-security-and-firewall');

    get_option(‘siteurl’) returns the url to the WP installation not the website’s base url
    even then, I would have preferred the website name… I changed that to:

    $subject = get_bloginfo( 'name' ) . ' ' . __('Unlock Request Notification','all-in-one-wp-security-and-firewall');

    and I had to broke down into smaller parts $email_msg in order to be able to provide translations through WPML.
    this:

    $email_msg .= __('You have requested for the account with email address '.$email.' to be unlocked. Please click the link below to unlock your account:','all-in-one-wp-security-and-firewall')."\n";
    would have been made available for translation as : “You have requested for the account with email address myownemail@mydomain.com to be unlocked. Please click the link below to unlock your account:”

    so I did rewrite it as:

    $email_msg .= __('You have requested for the account with email address ','all-in-one-wp-security-and-firewall');
    $email_msg .= $email;
    $email_msg .= __(' to be unlocked. Please click the link below to unlock your account:','all-in-one-wp-security-and-firewall')."\n";
    Plugin Contributor chesio

    (@chesio)

    Hi @mikele3,

    Actually the second problem should be resolved already, see the current code: https://github.com/Arsenal21/all-in-one-wordpress-security/blob/master/all-in-one-wp-security/classes/wp-security-user-login.php#L372-L376

    You should have the following string available for translation: “You have requested for the account with email address %s to be unlocked. Please click the link below to unlock your account:” – the “%s” part is placeholder for email address that is injected via call to sprintf.

    I’ll have a look on the subject-line problem.

    Cheers,
    Česlav

    Plugin Contributor chesio

    (@chesio)

    @vasseurb Please, start your own thread.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘email to notify user failed logins causing IP lockout’ is closed to new replies.