Support » Plugin: Limit Login Attempts » SCARY! Limit Login Attempts lockout bypassed?

Viewing 15 replies - 16 through 30 (of 41 total)
  • I’m using the latest Limit Login Attempts… and have had over 1,100 brute force attacks over the course of the last 20 days (on two websites); originating from less than a dozen IPs. Also, the logging is completely inaccurate. Fortunately, I’ve hardened my site with other methods/practices creating layers of protection. However, this plugin is now as effective as a canoe made from a screen door.

    When should we expect a patch for this plugin? The option to limit attacks on a geographical level would be awesome…

    As someone who does WordPress presentations for other professionals, I can say a significant percentage (over 40% in Silicon Valley) of small businesses STILL use ‘admin’ as their user login name. “…but ‘admin’ is the WordPress default…,” business owners say to me, in just recent weeks.

    Why isn’t Automatic or the WordPress Foundation addressing security flaw?? This is crazy. It doesn’t have to be this difficult; and, being a security company isn’t the business model for most of us.

    Hi Johan:

    I see the existing code is handling the auth_cookie_bad_hash action, but is not set up for the auth_cookie_bad_username action. So users are not protected against horizontal attacks, where the miscreant uses the same hash but changes user names. This is probably why your users are still having problems.

    That aside, it seems like you’re doing way too much work with cookies in general. It’s not necessary to clear out the cookie. If the person is an attacker, they’re coming back with a different cookie anyway. If it’s a legit user with a corrupted cookie (unlikely), WP won’t let them, force them to log in again, at which point they get a new cookie.

    –Dan

    Hi there,

    I also am experiencing repeated brute force attacks with hundreds of attempts within minutes that the 1.7.1 version of the plugin is not blocking. Would be happy to provide any details necessary to track this down as it’s getting tiresome to manually block IP adresses in cPanel which is pretty futile in the end.

    Thanks!

    Hi Pixelyzed,

    Swap out limit logins for a new plugin, Login Security Solution. What I like most about this on is that if the hacker eventually breaches a user/password combination, it automatically logs the [unauthorized] user out and sends an email to the real account holder asking to change their password before logging in.

    Good luck, Pete.

    Hi Johan?

    Any chances to find out what is going wrong?
    Thank you for your time!

    Jamy

    Hi Johan,

    I dont receive any email when there is any lockout. However, email system works with other plugins on my website(http://www.e-queries.com).

    Thanks
    Guru

    @myinternetscout
    A new plugin? But I am on WordPress v3.2.1 and it seems the plugin you are talking about only deals with WP v3.3 or higher πŸ™

    JamesBB,
    You need to upgrade to WP 3.4.1. There are known security holes in every other older version. Is there a reason you haven’t upgraded?

    You can also easily ban IPs with this plugin: http://wordpress.org/extend/plugins/wp-ban/

    @myinternetscout
    Yes you are right but there always are new security holes as far as new code is added πŸ™‚
    Anyway WP 3.2.1 is a pretty stable and safe version.

    When you have a CMS type of site with hundreds of pages + many plugins and tuning, it’s still a pain to upgrade every time there’s a new release and make sure everything works perfect.

    Quite a few sites are also in the same situation and don’t really feel to permanently update with all the risks of problems that could pop up. When something runs smooth and you see your stats going up every day with more users and more backlinks, I prefer to let it go for a while even if I don’t have the latest bells and whistles. This is why for some sites I don’t upgrade every time a new release goes out but maybe once a year…

    Hopefully most plugins at least supports WP3 versions not just the latest WP version that went out a few weeks ago.

    Cheers!
    J

    @jamesbb: The problem is that once new versions of WordPress are released the changes made are public information… i.e. it easy to see which security fixes have been made since, say, 3.2.1 and then exploit those…

    Ex: http://securitywatch.pcmag.com/none/301602-reuters-hacked-again-outdated-wordpress-blog-at-fault

    They use(d) version 3.1.1 but still…

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    The problem is that once new versions of WordPress are released the changes made are public information… i.e. it easy to see which security fixes have been made since, say, 3.2.1 and then exploit those…

    Just to chime in for a bit, you’ve put the focus on what’s not the problem for that specific instance: the problem was that they used an outdated version of WordPress and was compromised as a result.

    Sometimes a vulnerability is identified and patched before someone has apparently exploited it, and when those are discovered a patch is tested and released.

    But more times than not, someone reports something that already being exploited. Those patches are “Patch now or suffer the consequences!” and notifications are sent, your WordPress dashboard nags you, etc. There have been a few like that and that’s a big reason why it’s important to maintain your installation and software versions.

    @andersvinther2 and @jan Dembowski
    Yes I totally agree with you both and I even myself recommend to anyone around to keep everything updated, not only WordPress but browsers (Firefox, Chrome,etc) and whatever softwares.
    In the case I was referring to was a kinda “closed” CMS without people commenting, not as popular as big sites of course and quite different from the average blog…But anyway I agree, latest is best…

    Finally how much do they get every month these guys in Reuters to confess such rubbish: “Security Watch checked the HTML source code and found a line in the header code indicating the page had been generated using version 3.1.1. Mark Jaquith, one of the lead developers of WordPress, confirmed that was the case in an email.”

    I mean this is the basic of basic known by any kid and beginners in WP blogging with recommendations published in thousands of posts/articles about WordPress security…”Remove the WP version in header”
    And supposed to be Pro guys in a well known company did not do anything about it? I guess they still use “admin” in their login πŸ™‚ πŸ™‚
    Well sorry to say but they deserved to be hacked!

    Cheers!
    J

    hi, i am using limit log in plugin. but i been seeing login tries 50-60 times even though the IP is in lockouts list. for 3 times that and i put 3 lockouts to extended lockout time but it’s not working as well. can anybody suggest how its happening? What i can do? the IP that has done it 30 mins ago:
    Admin tried to log in to Mysite
    IP ns3.ehosting.biz | 195.190.13.158
    User agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)

    this guy tried more than 60 time in 10-15 mins duration. my lockout limit is 2 attempts
    Please help
    Thanks

    Same issue as shamratdewan has happened to me. The IP was locked out however, and login attempts stopped once it was locked. They were able to attempt 30+ logins, but I have the login attempt count set to 6.

Viewing 15 replies - 16 through 30 (of 41 total)
  • The topic ‘SCARY! Limit Login Attempts lockout bypassed?’ is closed to new replies.