WordPress.org

Support

Support » Plugins and Hacks » [Resolved] [Plugin: Login Security Solution] Password Reset Loop

[Resolved] [Plugin: Login Security Solution] Password Reset Loop

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Daniel Convissor

    @convissor

    Hi st0l1:

    Thanks to you and your friend for diligently testing my plugin.

    700 requests in 90 minutes comes out to about one every seven seconds. That’s a far cry from the 8 requests every second I can post with valid credentials to my dev box. In 90 minutes, my test with legit login info would have made 43,380 requests. For your partner to get 1 request every 7 seconds, I’m going to guess they were running six threads at once.

    The password reset behavior you’re seeing is expected behavior. This is because you’re making the bogus logins from the same IP you’re trying to make legitimate logins from. Therefore, my plugin assumes you’re the attacker (because, well, you are :).

    Under the most likely scenarios, attackers are coming in from addresses on other networks. When such scum are attacking your user name with different passwords, the plugin permits you, the legitimate user, to log in after the verification / password reset process.

    Thanks again,

    –Dan

    Well that makes complete sense. Thank you for your quick and informative response. After talking with our partner today I found they were seeing a very noticeable decrease in typical vulnerability tests they perform. Knee jerk reaction was to find a solution that bans the malicious IP automatically. However, your plugin does a nice job of sending up a red flag once an attack starts. Steps can then be taken to quell the attack IF needed, rather than a blanket ban policy. I feel better about it now, where I was quite worried before. Thanks Dan.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘[Resolved] [Plugin: Login Security Solution] Password Reset Loop’ is closed to new replies.