WordPress.org

Forums

[Plugin: Limit Login Attempts] Please comment if you have any questions (7 posts)

  1. johanee
    Member
    Posted 6 years ago #

  2. teranex
    Member
    Posted 6 years ago #

    I just installed this plugin (and it works, i just locked myself out of my blog, while giving it a try :) ).
    I have one small comment though: while entering some random username and password I saw that the error message tells if the username exists or not ('invalid username', when it does not exist; 'incorrect password' when it exists). This is a security issue as it could be used to find existing usernames, i think it would be better to just always display 'invalid username or password'.

    Jeroen

  3. johanee
    Member
    Posted 6 years ago #

    Yeah, I locked myself out a few times during development -- good thing to have direct access to the db...

    Re: error messages, I agree. This is fixed in version 1.1 -- during lockdown all other messages (empty password, ...) are filtered out.

    Thank you for the comment,
    Johan

  4. johanee
    Member
    Posted 6 years ago #

    Ok, so having actually read what the message said instead of what I thought it said:

    Yes, strictly speaking this is an information leak in WordPress and it would be better to give the same error message for any bad user/password combination.

    It seems to be possible to keep track of and filter most of the time, and I'll probably add it to a future version.

    Thank you,
    Johan

  5. ballinascreen
    Member
    Posted 6 years ago #

    Perhaps this is by design, but following a successful login, shouldn't the login counter be reset to its start value. On my development blog what I've been finding is that after failing at least one login attempt, the additional Limit Login information is displayed as you would expect i.e.

    Error: Incorrect Username and Password
    X attempts remaining.

    However, if I now successfully log in, and then log out, when I am subsequently returned to the login screen I now see:

    X attempts remaining - surely this should reset after a successful login and not be re-displayed to the user unless the number of attempts left is less than the maximum allowed?

    Am I missing something - or is this behaviour by design?

  6. johanee
    Member
    Posted 6 years ago #

    Yes this is by design, see the separate topic:
    http://wordpress.org/support/topic/235909

  7. rbuj
    Member
    Posted 6 years ago #

Topic Closed

This topic has been closed to new replies.

About this Topic