Daniel Convissor
Forum Replies Created
-
Forum: Plugins
In reply to: [Login Security Solution] HELP!! Site getting hammered, same IP addressAll password tried are VERY long and seem totally random.
The “passwords” sent in the emails and stored in the database are _hashes_ of the password, not the passwords themselves. This is for security reasons.
they eventually got a hold of the CORRECT username is quite obscure.
There are several ways. Many themes have links in the post to view content by that user. Or folks can probe various ID numbers this way: example.com/?author=1.
Also, using .htaccess in my wp-admin folder, I am blocking access to any IP address but three. HOW IS IT POSSIBLE that they can even attempt a login?
wp-login.phpis in the root directory of the wp install, not thewp-admindir.Finally, why is it that LSS is not blocking like it should by creating long delays.?
This is covered in this plugin’s FAQ.
Forum: Plugins
In reply to: [Login Security Solution] Have Captcha?No, the plugin does not have a CAPTCHA feature, nor is it something I’ll be adding. Other plugins already provide such.
Oh, yeah, Skippy: When you get a chance, I would be most appreciative if you can give the plugin a good rating and a “works” vote. Financial contributions are always welcome too. 🙂 Thanks, –Dan
The new release, 0.34.0, is now out and has this fix in it. Coatastic, when you get a moment, I would appreciate it if you can rate the plugin and provide a “works” vote for the new release.
Skippy:
Thanks for the report and your testing. Glad I could help. The new release, 0.34.0, is out with the fix.
The reason for the bug is there are multiple code paths into my
login_errors()filter method andwp-login.phpuses two conventions for naming theWP_Errorobject:$errorsand$wp_error. I had only accounted for the paths that set$errors. Now the method handles both.–Dan
I found an oversight in my plugin, Login Security Solution. A potential fix has been posted there.
Skippywp: I made some changes to my plugin. Can you please copy this file into place and see if it fixes the problem you’re seeing?
Hmm… Doing further analysis…
The Theme My Login plugin is doing something wrong, causing the
$errorsvariable to not be available. Perhaps they’re missing aglobal $errors;call at the top of a function or something similar.Dean:
Great catch! Turns out the error Coatastic is seeing is from the
disable_functionsini setting. I adjusted this plugin’s code accordingly and pushed it to Github.Also, thanks for the inspiration to finally sign up for a Stack Overflow account. I took the function from here and copied it to a new answer on that thread (upvote! :)).
Thanks,
–Dan
I just committed a change that will skip the
exec()calls ifsafe_modeis on. It will be in the next release, 0.34.0, whenever that comes out.Dean: For future reference, pre-setting
$resultwas unnecessary in my tests (PHP 5.2 on a Linux box).Hi Coatastic: Check your web host’s documentation and/or customer service department. Use search engines for any remaining questions. –Dan
Hi Coatastic:
You have
safe_modeanddisplay_errorson in yourphp.ini.First, basic security protocols dictate that
display_errorsshould be off.Second,
safe_modeis deprecated and has been removed in PHP 5.4, so should not be used.–Dan
Forum: Plugins
In reply to: [Login Lock] Replacement for Login LockHi Scientic:
The “Getting error: This webpage has a redirect loop” covers why the plugin was removed.
Yes, Login Security Solution permits blocking for an hour.
See you,
–Dan
Hi Orboan:
Plugins exist that move the wp-login.php URI. LSS’ behavior and feature set is fairly stable. I’d rather not complicate things, so will leave this feature to the other plugins.
Thanks for the suggestion,
–Dan