Daniel Convissor
Forum Replies Created
-
Hi Jason:
Thanks for trying it out again. Actually, the problems you’re seeing now are not the same. The reset password flag was already set from your earlier use.
Beyond that, what LSS thinks is a strong password and what WP thinks is a strong password are two different things. Exactly what did LSS say was wrong with your password? This plugin gives very specific error messages about what’s wrong with a password. What happened when you tried following that messages’ direction?
Guess I need to figure out which filter is used for the password strength indicator and get rid of it.
Thanks,
–Dan
Hi Jason:
There are some changes in 0.22.0 that will probably take care of the problems you were having.
–Dan
The initial translation work has been put in the 0.22.0 release. Hopefully you’ll have a chance to translate the rest of the stuff.
Hi Mike:
Thanks for sending me the detailed information via email.
I tracked down and fixed the problem with the
not a valid MySQL-Link resourceissues. It happens when invalid auth cookies are presented. That was happening due to multiple browsers being used, with the password having been changed in one and not the others. The problemis the auth cookie check happens very early in the process, so my database close call (before sleeping) leaves WP unable to render the rest of the page.The required password resets you and your client encountered were due repeatedly trying incorrect passwords. You 8 times, your client 5, then 3 other passwords 2x each. (Perhaps some were auth cookies, I don’t know.) Anyway, I added some logic to only track a given IP, user, password combination one time. This will cut down on the problem you hit.
I also suggest having a user name other than “admin.” I added an explanation to the plugin’s FAQ.
All of this is in the new release, 0.22.0.
Thanks again,
–Dan
Roxor:
Thanks for being reasonable. Glad you were thinking ahead with the domain name. I suggest disabling the ability of the general public to create accounts.
There are many tools out there for benchmarking websites to determine what you’ll need in the way of resources. One example is
ab(Apache Benchmark). There’s no need to open your site up for public logins.For the remainder of your testing, you may want to set up some
.htaccessor server level rules to only permit access to the site from the IP addresses you (and your associates) are coming in from. Example:Order deny,allow
Deny from all
Allow from 81.83.1.8Hi Roxor:
Wait a second. You’re letting random people (and robots) sign up for accounts on your site? In all seriousness, you are compromising the security of everyone on the Internet.
Please read the “Securing Your WordPress Site is Important” section from the Description page of my plugin at http://wordpress.org/extend/plugins/login-security-solution/.
Blow away your existing WordPress installation. Now.
I’d guess your domain name’s reputation is shot, plus miscreants will continue to try to use any WP install you put up on it. Seems like you need a new domain.
Good luck,
–Dan
Hi Mike:
The proper permissions for
wp-config.phpdepends on the way your web server works. Most likely, you’ll needchmod 440. This may be, but probably is not, related to the LSS issues you’re encountering.Can you please read the “The password reset behavior…” passage of the following post:
http://wordpress.org/support/topic/plugin-login-security-solution-password-reset-loop?replies=3#post-3036352. Does that apply to your situation?I assume you and your client have distinct user accounts and are not sharing them.
What other plugins do you have installed? If there are any others, have you read my plugin’s FAQ? http://wordpress.org/extend/plugins/login-security-solution/faq/
Are you running a stand-alone installation of WordPress, or are you running a multisite network installation?
Are you behind a proxy or load balancer?
Can you dump the contents of your
wp_login_security_solution_failtable and email it to me atdanielc@analysisandsolutions.com?As far as reinstallling, just put the plugin files back in place and you should be good to go. WordPress may want you to reactivate it, so check the Plugins page in
wp-admin.–Dan
Are those the exact user names and quantities in the emails, or have you altered them?
Are you behind a proxy, load balancer, etc that presents WP with a given (set) of IP addresse(s) in
REMOTE_ADDRinstead of WP receiving each user’s actual IP address?I couldn’t see your settings because mediafire is requires JavaScript. You’ll probably want to increase the “Failure Notification” number so you don’t get soooo many emails.
Hi Mike:
The plugin sets a “change password” flag in each existing user’s metadata. But it does not set a flag for the administrator who presses the button.
Also, you mentioned checking the box. But I didn’t see mention of clicking the button next to it also. Both need to be done for the flag to get set. The two step process helps prevent mistakes.
–Dan
The installation instructions now include a step for administrators running behind load balancers and proxies. This will show up on the website when the next release is made. Until then, folks can view the readme file in SVN.
Dean:
Once again, thank you for paying close attention.
My initial thinking was “Yeah, the HTTP_X_FORWARDED_FOR can be forged, but so can the REMOTE_ADDR.” But the underlying point of your statement is that forging an HTTP header is WAY simpler than forging an IP packet or attacking via proxies.
I’ll revert the change and advise users to take appropriate measures.
josediogenes, for the record, my plugin carefully validates all input in order to prevent XSS and SQL vulnerabilities, etc.
Thanks,
–Dan
Hi Jose:
I committed some changes for this into the SVN repository. It will be in release 0.22.0, whenever that comes out. For now, you can use the latest “development version” via http://downloads.wordpress.org/plugin/login-security-solution.zip. Please try it and let me know how it goes.
–Dan
Hi Jose:
Are you asking in general, or is this a situation you actually have?
I could populate the plugin’s IP data with HTTP_X_FORWARDED_FOR if it’s provided. Sound good?
–Dan
Mermouy: I didn’t put the translation in the 0.21.0 release because it’s incomplete. The translation files are back in the SVN repository. Hopefully you can get to completing it soon. Once it is I’ll produce a new release. Thanks, –Dan
Hi Madhavaji:
Good point. I’ve updated the notice text to specifically state that the link goes to a user interface. The change is in the the 0.21.0 release that has just been put out.
Thanks,
–Dan