Daniel Convissor
Forum Replies Created
-
Forum: Plugins
In reply to: [Login Security Solution] Locked out of own siteThanks for the details.
The problems accessing wp-login.php were via web browser, correct? You mention an Andriod app, so just making sure.
First, LSS doesn’t do any special checking on arrival at wp-login.php. If LSS is letting you see other parts of the site, LSS will let you see wp-login.php too.
Second, LSS doesn’t produce 403’s.
Perhaps you have a modified version of LSS? I’ve seen some folks use LSS’s data and/or modified versions of the plugin to reject access to the login page. More likely, you have another plugin that’s at issue.
Which plugin are you using for your two factor auth? What other plugins do you have installed? What comes out if you run
grep -r 403 .on your plugins directory?I’m not trying to pass the buck here. But like I said above, the behavior being described doesn’t match how LSS works.
I hear you that removing LSS solved the problem. That _could_ be a coincidence.
Forum: Plugins
In reply to: [Login Security Solution] Locked out of own siteHi Folks:
Which version of Login Security Solution were you using? 403 Error? LSS doesn’t return 403 responses. Please elaborate with specifics of what was happening in the environment, attacks that were happening, what steps you took to get a 403 in your browser and exact messages you received.
As far as SQL, this plugin stores failure attempts in the
<prefix>login_security_solution_failtable. Deleting the data in there should resolve most issues.–Dan
Forum: Plugins
In reply to: [Login Security Solution] Force individual user password changeHi Tom:
Absolutely!
Keep up the good sleuthing,
–Dan
Forum: Plugins
In reply to: [Login Security Solution] Plugin Rejecting Solid PasswordsHi Ian:
I just updated my password to your example “srZ@!RaL5xlY+pyA$46^” and it was accepted. The “Password is too common.” error message is produced when the password tried fails the
is_pw_dictionary()test.That means you have a file in the
login-security-solution/pw_dictionariesdirectory that contains the password you’re trying. Or there’s a bug in my code that gets triggered
by a file you have in one of your dictionary files. Feel free to send me your dictionary files. (See email address in the class level docblock in the plugin files.) Or better yet, dig into the code, add some debugging steps and see what’s happening. 🙂Do note, that some of the _other_ tests are run against the non-leet, alpha only password. So you may be gettting tripped up by that, but you’d be seeing different error messages.
Thanks,
–Dan
Release 0.42.0 improves the text of the warning messages so they explain who turned the mode on and how to turn it off.
A simple way to keep sites from getting totally bogged down is adjusting the LSS’ “Delay Tier 2” and “Delay Tier 3” settings to large numbers.
Forum: Plugins
In reply to: [Login Security Solution] Password Strength settingsthe password security features [are] too onerous given what information we’re ‘protecting’
The _vast_ majority of malware (etc) is spread via legitimate websites that have been compromised. Enforcing password strength is not about protecting your site’s data, it’s about protecting everyone on the Internet.
Forum: Plugins
In reply to: [Login Security Solution] Deprecation Checker: just a heads upThanks for the heads up.
A simple way to keep sites from getting totally bogged down is to adjust the LSS’ “Delay Tier 2” and “Delay Tier 3” settings to large numbers.
Gplasky:
Thank you, thank you, thank you! That debugging information led me to the solution fairly quickly.
This issue has been fixed in the 0.41.0 release.
–Dan
Forum: Plugins
In reply to: [Login Security Solution] Still can't get intoRelease 0.40.0 fixes the infinite loop when the “attacking” IP address is the one the user is logging in from.
Hi Lponce:
Can you please provide valuable assistance by doing the debugging / testing I’ve mentioned in various posts? Another “me too” post doesn’t move the ball forward.
Thanks,
–Dan
Forum: Plugins
In reply to: [Login Security Solution] Stopped recording IP in database?Examine the “Count” column in the email. It shows there was only one hit for the Network IP but 50 for the Username.
Please note, the email shows the data for the attempt that takes you over the reporting threshold. To show the exact data set in question you’d need to use all three data points in the query’s WHERE clause: Network IP, Username and Password MD5. Putting only one or two items in the WHERE clause will produce different results.
Forum: Plugins
In reply to: [Login Security Solution] Stopped recording IP in database?You’re looking at some user interface. You’ll need to SSH into the server and look at the raw logs.
Forum: Plugins
In reply to: [Login Security Solution] Stopped recording IP in database?In your web server access logs, were the requests HTTP POST or GET? If it’s GET, then it’s just the page being loaded. If it’s POST, then it’s probably an auth request.