Daniel Convissor
Forum Replies Created
-
Hi James:
Thanks for the big effort. Having shell access will provide you long term benefits. The grep call hung because you left the period off the end of the command.
FYI, that part of the grep command tells grep where to search.
.means look in the present directory. If no location is indicated, grep examines standard input, which you didn’t provide either, so grep just waited.–Dan
I went ahead and removed the password strength indicator in the new release, 0.24.0.
Dean, I’m still curious to hear your thoughts when you get a chance.
James:
I’m trying to help you. You’re not answering my questions. So let me be very specific. Please do the following.
* Log into the web server using SSH.
*cdinto the directory containing your WordPress installation.
* Call the following command:
grep -rE 'wp_generate_password|random_password' .
* Paste the output here.–Dan
James:
Which plugin is that? And what’s in your
wp-login.php?Are you manually looking at each file to do this search? You really need to do an automated search to make sure EVERYTHING is checked.
–Dan
James:
If you’re on a Unix/Linux/BSD type box, do this:
grep -rE 'wp_generate_password|random_password' .If you’re on a Windows box, use your preferred file content searching tool.
–Dan
James:
You have something overriding WordPress’ default behaviors. In WP 3.4.1, the new user generation process in
wp-login.phpaskswp_generate_password()for a 12 character password.wp_generate_password()calls therandom_passwordfilter. I’d guess you either you have an outdatedwp-login.phpor you have a plugin with arandom_passwordfilter in it.–Dan
Hi James:
You’re talking about the randomly generated 12 character password that gets emailed to new users? That’s created by WP core. It’d be pretty hard for attackers to crack that.
How long do you have your minimum password length set to?
–Dan
Hey Dean:
Why would you “not recommend removing the password strength meter…”?
Thanks,
–Dan
Forum: Plugins
In reply to: [Login Security Solution] [Plugin: Login Security Solution] ip is incompleteHi Jan:
By latest version, you mean 0.23.0? Hmm, and it’s still sending the emails with 0 counts. Alas.
The failures with your user name could be due to auth cookies? Did you change your password? Are you using multiple browsers? Do the times match the times you were looking at the site.
Or the attacker deduced your user name from the site name or the user name on your postings.
–Dan
Woah! Seems that investigation got the plugin yanked. Going to
http://wordpress.org/extend/plugins/login-lock/produces “Whoops! We couldn’t find that plugin…”Forum: Plugins
In reply to: [Login Security Solution] [Plugin: Login Security Solution] ip is incompleteHi Jan:
That’s the network component of the IP address, which is what’s used for counting the failures. The full address is in the
<prefix>login_security_solution_failtable.I’m curious, which version of the plugin were you using when that email was sent, please?
Thanks,
–Dan
Forum: Plugins
In reply to: [Login Lock] [Plugin: Login Lock] Doesn't Seem to Work With BuddyPressHi Gswaim:
Problems with this plugin lead me to provide patches to the developer. My approach wasn’t appreciated, so I made a new plugin, Login Security Solution. It takes the concepts of this plugin and turns them up to 11.
It’s well engineered and has unit tests. One thing I haven’t had a chance to do is test it against BuddyPress. Could you please be so kind as to try it all out and let me know how it goes? (My email address is in class level docblock in the plugin’s main file, or you can post a thread in my plugin’s forum.)
Thanks,
–Dan
nixonvs:
Funny thing is there’s a link to donate to the site on my page. Yeah, right. It’s gotta work to get my money (and I DO donate to some that work well).
Let alone sticking a donation link onto end users’ websites, particularly without asking or providing a way to opt out, is tacky. When I tried to improve this plugin by contributing patches, the developer was put off by my taking those links out.
So instead of forking and giving back, it was clear I needed to make a whole new plugin: Login Security Solution. It’s solid, has unit tests and a far better feature set.
–Dan
When hitting “post” I thought, “I bet Dean will have something to say about this.” I’ll have to look into that. Thanks!
Gah. There is no simple way to override the strength indicator.