Support » Plugins » [Plugin: Limit Login Attempts] Please comment if you have any questions

Viewing 6 replies - 1 through 6 (of 6 total)
  • I just installed this plugin (and it works, i just locked myself out of my blog, while giving it a try 🙂 ).
    I have one small comment though: while entering some random username and password I saw that the error message tells if the username exists or not (‘invalid username’, when it does not exist; ‘incorrect password’ when it exists). This is a security issue as it could be used to find existing usernames, i think it would be better to just always display ‘invalid username or password’.

    Jeroen

    Yeah, I locked myself out a few times during development — good thing to have direct access to the db…

    Re: error messages, I agree. This is fixed in version 1.1 — during lockdown all other messages (empty password, …) are filtered out.

    Thank you for the comment,
    Johan

    Ok, so having actually read what the message said instead of what I thought it said:

    Yes, strictly speaking this is an information leak in WordPress and it would be better to give the same error message for any bad user/password combination.

    It seems to be possible to keep track of and filter most of the time, and I’ll probably add it to a future version.

    Thank you,
    Johan

    Perhaps this is by design, but following a successful login, shouldn’t the login counter be reset to its start value. On my development blog what I’ve been finding is that after failing at least one login attempt, the additional Limit Login information is displayed as you would expect i.e.

    Error: Incorrect Username and Password
    X attempts remaining.

    However, if I now successfully log in, and then log out, when I am subsequently returned to the login screen I now see:

    X attempts remaining – surely this should reset after a successful login and not be re-displayed to the user unless the number of attempts left is less than the maximum allowed?

    Am I missing something – or is this behaviour by design?

    Yes this is by design, see the separate topic:
    http://wordpress.org/support/topic/235909

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘[Plugin: Limit Login Attempts] Please comment if you have any questions’ is closed to new replies.