Daniel Convissor
Forum Replies Created
-
Forum: Plugins
In reply to: [Login Security Solution] [Plugin: Login Security Solution] NOT RECOMMENDEDHi P3air:
The reason I asked for a proof of concept is because I’m pretty sure this plugin already handles the scenario you’re mentioning. The Login Security Solution checks all WordPress’ authentication hooks, not just activity in wp-login.php.
It’d be great if you were actually interested in improving security by participating in the open source community.
You may say I’m a dreamer
But I’m not the only one
I hope someday you’ll join us…Forum: Plugins
In reply to: [Login Security Solution] Full IP addressHi George:
The address shown in the email is the address used for the counting/blocking.
All of the login checking WordPress plugins use the network component approach.
Thanks.
Forum: Plugins
In reply to: [Login Security Solution] Locked out from website.Sorry you’re having problems. The message mentioned in your first post was not generated by the Login Security Solution (LSS). And once the LSS has been removed, there’s no way for it impact your site. Your problem is coming from something else. Good luck.
Forum: Plugins
In reply to: [Login Security Solution] [Suggestion] add optional SYSLOG of failed loginsNice job invisnet. Though your use of anonymous functions (thus requiring PHP 5.3) seems unnecessary to me.
Maybe I’ll put this in a future release. Maybe not. Either way, WP fail2ban does the job.
Forum: Plugins
In reply to: [Login Security Solution] [Plugin: Login Security Solution] NOT RECOMMENDEDP3air:
Most of brute force attacks are jQuery driven: every 2 sec. a bounce against login/database.
Thank you for finally explaining your scenario. Can you please provide a sample payload and the path (URI without domain) of such a request?
Thanks.
Some or all of this stuff may be getting into core:
http://core.trac.wordpress.org/ticket/21737Forum: Plugins
In reply to: [Login Security Solution] wp-login.php gives error after mistyped/bad loginThat error happens when something (another plugin) is trying to access the database to generate the login page’s footer.
Which version of my plugin are you using?
What other plugins are you using?
Pha3z: You’re correct. And yes, a forgery won’t get a reply, but one doesn’t need a reply to wage a DDOS or login attack. –Dan
Forum: Plugins
In reply to: [Login Security Solution] WordPress.org SecurityHi Jim:
Those are questions for other areas of the the wordpress.org support forums forum. This section is for support of the Login Security Solution.
But you raise a good point. TLS/HTTPS should be used for the act of logging in (to protect the username and password) and once you are logged in (to protect auth cookie data). I suggest opening a ticket on http://core.trac.wordpress.org/ and then having a polite conversation with the core team on #wordpress-dev.
–Dan
Elainehh:
1) If you are seeing the errors mentioned in this post, you’re not using the latest version of the plugin. Please upgrade the plugin to version 0.34.0.
2) The bug in question just makes a mess on your screen, it doesn’t prevent you from logging in. Anyway, if you still can’t get in, you can download the latest version of the plugin to your personal computer, unzip it, the upload those files to your web server via SFTP.
3) Ask your ISP how to adjust your php.ini settings.
–Dan
Billy: Glad it’s sorted out. When you get a chance, ratings, “works” votes and financial contributions are always appreciated, please. –Dan
Forum: Plugins
In reply to: [Login Security Solution] HELP!! Site getting hammered, same IP addressIs there a way to see the passwords attempted?
No. Storing clear text passwords is a bad, bad idea.
shouldn’t the login attempts have been limited to just two a minute max after ten failed attempts
As mentioned in the FAQ, the attacker is using multiple threads to make the attempts. The slowdown makes each thread go slower.
Are there any known issues with IP blocking wp-login file?
Should be okay.
Billy:
Since you did the testing from the same IP address you’re trying to log in from, the LSS thinks you’re an attacker. And rightfully so. That means the password reset process isn’t going to help you.
If you have the ability to run queries directly against the database, you can drop the records in the login solution fail table.
–Dan
Forum: Plugins
In reply to: [Login Security Solution] Compatibility with BAW More Secure LoginFrom a quick look, it should be okay. Let me know if you run into problems.
Hi Mike:
Adding means to view and report on the failures is a good idea and is on my to do list, but it’s a low priority. Adding hooks to external providers is beyond the scope of this plugin. The reason for both of these answers is that creating and maintaining the existing functionality has been and continues to be a large enough task.
Thanks for your feedback and suggestions,
–Dan