WordPress.org

Forums

Login Security Solution
[resolved] Question about resetting passwords (3 posts)

  1. tomdkat
    Member
    Posted 2 years ago #

    I maintain a blog which is currently under attack. Login Security Solution has been notifying me about the failed login attempts, as its supposed to. However, I've run into an interesting situation and here's the scenario:

    A hacker uses my WordPress login id in an attempt to login to WordPress. The attempts fail repeatedly. Eventually, _I_ will try to login to WordPress, using my correct password. I will be informed of the need to reset my password. Let's assume I'm able to reset the password and get logged in to WordPress ok. Cool.

    Here's my question: what happens if the hacker continues to attempt to login to WordPress using my login id and incorrect passwords? I can see the hacker effectively blocking me from logging in to WordPress because I'm repeatedly having to reset my password, due to the _hacker's_ failed login attempts.

    Here's another question: if a hacker attempts to login to WordPress using my id and the incorrect password, why am I eventually required to reset my password at all?

    Thanks!

    Peace...

    http://wordpress.org/extend/plugins/login-security-solution/

  2. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    What happens if the hacker continues to attempt to login to WordPress using my login id and incorrect passwords? I can see the hacker effectively blocking me from logging in to WordPress because I'm repeatedly having to reset my password, due to the _hacker's_ failed login attempts.

    Whenever you update your profile or reset your password, Login Security Solution stores your IP address to a white list. When someone successfully logs in during an attack, LSS checks the current user's IP address. If the IP has not been part of the attack and is in the white list, you'll be let through as a normal log in. The password reset step is used when the current IP isn't in the white list (or matches one of the attacking addresses).

    If a hacker attempts to login to WordPress using my id and the incorrect password, why am I eventually required to reset my password at all?

    Because what if the attacker made a lucky guess? You'd have a real problem on your hands. So LSS uses the password reset process to verify the identity of people coming in from IP's not in the white list.

    Hope this clears things up. Let me know if you have any further questions.

  3. tomdkat
    Member
    Posted 2 years ago #

    Sounds great! Thanks!

    Peace...

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Login Security Solution
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags

No tags yet.