Support » Plugin: Login Security Solution » [Plugin: Login Security Solution] change password loop if site under attack when logging in

  • Resolved Jason Lewis

    (@jasonblewis)


    Hi,

    My site was undergoing brute force attack today and then one of my admins tried to log in and got stuck in a loop of “change password” to verify yourself.

    Each time she changed password, I got an email:

    Your website, XXX, may have been broken in to.

    Someone just logged in using the following components. Prior to that, some combination of those components were a part of 254 failed attempts to log in during the past 120 minutes

    Maybe another reason for some kind of white list to ensure this kind of lock out does not happen?

    http://wordpress.org/extend/plugins/login-security-solution/

Viewing 6 replies - 16 through 21 (of 21 total)
  • Plugin Author Daniel Convissor

    (@convissor)

    Jason:

    When you look at the output of that second query for you and your associate’s user name, do you see any IP’s that are legitimately yours or theirs? Which ones?

    I see some that look like they are and there is overlap between those of you and your associates.

    Is there a pattern? What part of the output corresponds to when you folks were in the password reset loops?

    What’s the output of the following. Does anything correspond to the above?


    select user_login, meta_value
    from wp_usermeta
    join wp_users on (wp_usermeta.user_id = wp_users.ID)
    where meta_key = 'login-security-solution-verified-ips';

    Thanks,

    –Dan

    Hi Dan,

    That gives both of mine and my associate’s user names and the valid IP addresses.

    I log in from 2 IPs and they log in from 1 currently. We share 1 ip address.

    Jason

    Plugin Author Daniel Convissor

    (@convissor)

    Jason:

    The goal here is to figure out the correlation between those IP’s, failure times and the times of the password reset loops.

    So what are those legit IP’s, what are the values in the verified IP metadata for each of you and what are the times of the reset loops?

    –Dan

    Ah, ok.

    I will email you that info.

    Jason

    Plugin Author Daniel Convissor

    (@convissor)

    Hi Jason:

    Between seeing the list of emails in your inbox and reviewing my code I figured out what was going on. There’s a combination of expected (though undesirable) behaviors and a bug. Both have been fixed in the new release, 0.28.0.

    When a successful login happens during an attack (whether by a legitimate user or an attacker) an email is sent to the admin and the user. Since you are both, you got two emails for each login. And the subject line of both emails was the same.

    The subject line for the user notification email has been modified to differentiate them. Now the admin and user emails only go out if the user’s IP has not been verified and the number of failed attempts from the user’s IP address is over the “Breach Email Confirm” threshold. In addition, the user email message now provides the steps for verifying one’s email address to avoid future annoyance.

    Thanks for all your help,

    –Dan

    Hi Dan,

    Thats great to hear. I’ve upgraded.

    Thanks for your perseverance in working through the issues.

    Jason

Viewing 6 replies - 16 through 21 (of 21 total)
  • The topic ‘[Plugin: Login Security Solution] change password loop if site under attack when logging in’ is closed to new replies.