Login Security Solution
[resolved] Password Reset Loop (3 posts)

  1. st0l1
    Posted 2 years ago #

    I installed this plugin to test it out on a dev project I am working on. I just entered some wrong information in the login prompt multiple times to check the slow down. Which worked in a browser based log in scenario. A partner that we work with was attempting a brute force attack from another location. They managed over 700 failed attempts from the same IP, almost 600 attempts used the same Username in a little less than 1 hour and 30 minutes. I will find out what method they were using tomorrow. That's pretty disconcerting though. If the tiered slow down was working there is no way they could have logged that many attempts in 1.5 hours. Right?

    With that said, I am guessing my IP is now locking my user out. I made 8 or so intentional erroneous logins. Now when I try and log in I get the password reset prompts. I enter the username, click on the link in the email sent, reset the password, login with username and new password successfully, but when I click on the dashboard it kicks me to the password reset function again.

    I RDP'd into a remote box and preformed the password reset function and successfully get into wp-admin. When I switch back over to the local machine afterwards, boom, password reset rigamarole!


  2. Daniel Convissor
    Plugin Author

    Posted 2 years ago #

    Hi st0l1:

    Thanks to you and your friend for diligently testing my plugin.

    700 requests in 90 minutes comes out to about one every seven seconds. That's a far cry from the 8 requests every second I can post with valid credentials to my dev box. In 90 minutes, my test with legit login info would have made 43,380 requests. For your partner to get 1 request every 7 seconds, I'm going to guess they were running six threads at once.

    The password reset behavior you're seeing is expected behavior. This is because you're making the bogus logins from the same IP you're trying to make legitimate logins from. Therefore, my plugin assumes you're the attacker (because, well, you are :).

    Under the most likely scenarios, attackers are coming in from addresses on other networks. When such scum are attacking your user name with different passwords, the plugin permits you, the legitimate user, to log in after the verification / password reset process.

    Thanks again,


  3. st0l1
    Posted 2 years ago #

    Well that makes complete sense. Thank you for your quick and informative response. After talking with our partner today I found they were seeing a very noticeable decrease in typical vulnerability tests they perform. Knee jerk reaction was to find a solution that bans the malicious IP automatically. However, your plugin does a nice job of sending up a red flag once an attack starts. Steps can then be taken to quell the attack IF needed, rather than a blanket ban policy. I feel better about it now, where I was quite worried before. Thanks Dan.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Login Security Solution
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic