Daniel Convissor
Forum Replies Created
-
Hi bbeoj:
The attackers were using multiple processes against you. If the slowdown wasn’t there, they would have gotten in multiple requests per second.
Testing on my local dev box with valid auth credentials produces about 8 hits per second, which would add up to about 72,300 attempts in 2.5 hours. You only had 1,000.
Thanks for the report,
–Dan
Or you could do it the easy way, which the plugin has provided since the beginning:
* Click the “Change All Passwords” link inside that notice (or in the quick links on this plugin’s line on WP’s Plugins page).
* Check off the “No thanks. I know what I’m doing. Please don’t remind me about this.” box.
* Click the “Do not remind me about this” button.Hi Jason: I want to roll a new release in the near future. Can you please provide the requested feedback? Thanks, –Dan
Marking resolved due to lack of feedback and the low likelyhood this is being caused by this plugin.
Fodden, please feel free to provide more info and reopen this thread.
Hi st0l1:
Thanks to you and your friend for diligently testing my plugin.
700 requests in 90 minutes comes out to about one every seven seconds. That’s a far cry from the 8 requests every second I can post with valid credentials to my dev box. In 90 minutes, my test with legit login info would have made 43,380 requests. For your partner to get 1 request every 7 seconds, I’m going to guess they were running six threads at once.
The password reset behavior you’re seeing is expected behavior. This is because you’re making the bogus logins from the same IP you’re trying to make legitimate logins from. Therefore, my plugin assumes you’re the attacker (because, well, you are :).
Under the most likely scenarios, attackers are coming in from addresses on other networks. When such scum are attacking your user name with different passwords, the plugin permits you, the legitimate user, to log in after the verification / password reset process.
Thanks again,
–Dan
Hi Jason:
Sorry you’re having problems. My only hunch at this point is something to do with auth cookies. I’ll need your help pinpointing the issue.
Go into my class’
log()method. Adjust the path to the file as needed. Then in myauth_cookie_bad()method, add this call on the first line:$this->log("auth cookie bad.");You can also uncomment the pre-existing log calls in the file too.Then use the site while monitoring the log file. Make notes of what you do and what shows up in the log file.
Thanks,
–Dan
Further information was not received. Please reopen the thread if the problem persists and can provide details about what’s going on.
The provided translation has been integrated. It doesn’t include the settings screen yet. Mermouy said he’ll submit it when he gets a chance.
Please provide the entire error text.
gwc_wd: Thanks for letting me know. What’s the philosophical issue? FYI, LLA has a hole because it misses auth cookies with an invalid user. –Dan
Mermouy: Great! You can email them to me. My address is at the top of the plugin file. Thanks, –Dan
IRC’ed nacin. He said he tweaked and tested it, so it should be working now. We’ll see…
Hi Folks:
Sorry to be so crass, but could y’all please be so kind as to rate this plugin, give it a “works” vote, and make a donation? It’d be a big help.
Thanks,
–Dan
Dean:
Did you get an email when I closed ticket 1555?
–Dan
This request has been implemented in the 0.20.0 release. Everyone, thanks for the report and suggestions.
Could y’all please be so kind as to rate the plugin, vote for it as “working”, and (ahem) make a donation?