Title: DigiP's Replies | WordPress.org

---

# DigiP

  [  ](https://wordpress.org/support/users/digip/)

 *   [Profile](https://wordpress.org/support/users/digip/)
 *   [Topics Started](https://wordpress.org/support/users/digip/topics/)
 *   [Replies Created](https://wordpress.org/support/users/digip/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/digip/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/digip/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/digip/engagements/)
 *   [Favorites](https://wordpress.org/support/users/digip/favorites/)

 Search replies:

## Forum Replies Created

Viewing 15 replies - 1 through 15 (of 22 total)

1 [2](https://wordpress.org/support/users/digip/replies/page/2/?output_format=md)
[→](https://wordpress.org/support/users/digip/replies/page/2/?output_format=md)

 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Ajax Search Lite - Live Search & Filter] Hard coded HTTP entries in asl.shortcode.php](https://wordpress.org/support/topic/hard-coded-http-entries-in-asl-shortcode-php/)
 *  Thread Starter [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [8 years, 6 months ago](https://wordpress.org/support/topic/hard-coded-http-entries-in-asl-shortcode-php/#post-9857684)
 * By the way, w3 supports SSL, or this would(or should) also make it fail if it
   didn’t already support https.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Ajax Search Lite - Live Search & Filter] Hard coded HTTP entries in asl.shortcode.php](https://wordpress.org/support/topic/hard-coded-http-entries-in-asl-shortcode-php/)
 *  Thread Starter [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [8 years, 6 months ago](https://wordpress.org/support/topic/hard-coded-http-entries-in-asl-shortcode-php/#post-9857677)
 * Yes, if you have SSL enabled and it loads them with HTTP, it breaks the lock 
   icon for me in Opera. You can use whynopadlock(.)com to test your site(s), which
   after some digging was able to see that it was an SVG image from the plug-in 
   that caused this. Soon as I changed it, the green lock showed in my browser and
   also passed the test why no padlock test.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Login Lockdown & Protection] Compatibility](https://wordpress.org/support/topic/compatibility-15/)
 *  [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [12 years, 10 months ago](https://wordpress.org/support/topic/compatibility-15/#post-3970720)
 * Pretty much change every instance, like I show here: [http://wordpress.org/support/topic/deprecated-user-lookup-function-since-wp-33?replies=1](http://wordpress.org/support/topic/deprecated-user-lookup-function-since-wp-33?replies=1)
   and it fixes the compatability for the deprecated function since wp 3.3
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WP Login Alerts by DigiP] Sorting Email by Subject using IP address](https://wordpress.org/support/topic/sorting-email-by-subject-using-ip-address/)
 *  Plugin Author [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/sorting-email-by-subject-using-ip-address/#post-3742957)
 * Actually added an pushed this change. Makes sense to be able to sort emails by
   attacker IP in subject line.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WP Login Alerts by DigiP] Sorting Email by Subject using IP address](https://wordpress.org/support/topic/sorting-email-by-subject-using-ip-address/)
 *  Plugin Author [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/sorting-email-by-subject-using-ip-address/#post-3742956)
 * Hmm..thats not a half bad suggestion. If I find free time, I may add that into
   it and push in the SVN. As of right now, no future plans on updates, but if I
   do, that will def be one to add and one of the best suggestions I’ve gotten so
   far. Thank you.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[BuddyPress Album] now stopped to show images uploaded](https://wordpress.org/support/topic/now-stopped-to-show-images-uploaded/)
 *  [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/now-stopped-to-show-images-uploaded/#post-3631738)
 * Got it fixed. Go into bb album settings, make sure to change full URL to path
   of your uploads folder if it differs than the default install of wordpress, then
   the images will show.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[BuddyPress Album] now stopped to show images uploaded](https://wordpress.org/support/topic/now-stopped-to-show-images-uploaded/)
 *  [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [13 years, 1 month ago](https://wordpress.org/support/topic/now-stopped-to-show-images-uploaded/#post-3631737)
 * I am having the same problem. Images upload, shows on the server, but do not 
   show in the album or on the site at all. I can navigate to the URL of the image,
   and I get a 404 not found by wordpress. Using Latest buddypress version and bbalbum
   version on wordpress 3.5.1
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WP Login Alerts by DigiP] Email from name](https://wordpress.org/support/topic/email-from-name/)
 *  Plugin Author [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [13 years, 3 months ago](https://wordpress.org/support/topic/email-from-name/#post-3371647)
 * This plug-in was meant as a simple wake up call to people who were otherwise 
   not even paying attention to the login attacks on their sites. No more, no less.
   I could go full fledged admin panel on it, but if said site gets compromised,
   attackers are going to just change where the email gets sent to anyway. This 
   is more or less a passive plug-in, and most attackers aren’t even looking for
   it on systems. I suspect that will change over time, but I have no intention 
   of modifying it at this point in time, due to the fact that an option like this,
   requires storage in the wordpress database, and just leaves another avenue open
   for attack. If you get 30 or 3000 emails of login attempts, you’re not securing
   your site to begin with, and this plug-in, is only to alert you, not protect 
   the login page…
 * [http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/](http://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/)
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WP Login Alerts by DigiP] Could you add the method (GET, POST etc..)?](https://wordpress.org/support/topic/could-you-add-the-method-get-post-etc/)
 *  Plugin Author [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [13 years, 3 months ago](https://wordpress.org/support/topic/could-you-add-the-method-get-post-etc/#post-3594347)
 * Not sure what GEt or POST method you want added to the plug-in, or how that will
   resolve your issue.
 * The wordpress login page itself uses a POST form of its own to login, not a GET
   request, or usernames and passwords, would show in the address bar of the site
   when you login, which is a security risk for other people using your PC. If they
   looked at your URL history, they would see in plain text, the GET data of the
   username and password you use, which is why wordpress uses a POST form in their
   own login page.
 * All I do, is hook into the $_POST data for the user name field and email users
   the name tried logging in with or if the page is reached. If you are locking 
   down the wp-login.php and /wp-admin/ directories, you really don’t need the plug-
   in since you’re restricting access already to just your IP. I do both, just in
   case, but thats me, paranoid admin(never hurts to be too cautious) but if you
   are getting a ton of brute forced attempts, start using firewall rules or htaccess
   to block those users IP’s or subnets. Especially, if its always a specific network.
 * Thing about the plug-in, it will catch attempted or posted login data against
   any page of the site 😉 which is a nifty little feature I use on my own sites
   to act as a honeypot and capture logins, since my wordpress isn’t installed in
   the base of my site(s) usually. Example of one of my honeypots for wordpress:
   [http://www.attack-scanner.com/brutes/brutes.log](http://www.attack-scanner.com/brutes/brutes.log)(
   I may one day do a write up on how to set this up, but for now, its just mine…
   muahahahha..sorry, mad scientist taking over)
 * Only other thing I can say, is mod the plug-in, to only check for your username.
   If you’re username is not the one being attempted, just exit, but if it is, then
   send an email. That requires changing the plug-in name in the header comment 
   area as well, so you don’t get overwritten your changes from me when I make updates,
   but there is no way to really tell it, “Oh, this person uses htaccess, so don’t
   send an email if its the admin” without heavily customizing it on a per site 
   basic, which I would leave up to the end user. I do customize them for people
   on a per site basis, but I charge for this service,as where here, this is just
   a free plug-in to alert you.
 * I had one client who the other day, got over 3000 emails, because someone used
   a bot to automate an attack against her site and it freaked her out, but one 
   person had launched an attack on her site, so its a catch 22. Do you leave it
   on or off, is up to you.
 * All I can say is turn it off, if you have your login page and /wp-admin directory
   locked down though, and since no one but your IP should be able to access those
   areas if you’ve handled it correctly, so who cares who tries to brute force the
   page, they won’t be able to gain access if its blocked and only you are whitelisted.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WP Login Alerts by DigiP] Suggestion User Login Security](https://wordpress.org/support/topic/suggestion-17/)
 *  Plugin Author [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [13 years, 5 months ago](https://wordpress.org/support/topic/suggestion-17/#post-3381423)
 * Not quite sure what you are getting at, but have you used my Plug-In in WordPress?
   It already gives you timestamps of when a login attempt takes place in the body
   of the email. Maybe I misunderstood your question or request.
 * My plug-in, has no admin panel settings. It is a strictly passive plug-in, that
   monitors the login attempts to the site, and alerts the owner of the site, or
   whomever is set for the email address under the Dashboard > Settings > General
   section. If someone reaches the login page, it sends an email with the subject
   of which WordPress site was reached (if you have more than one, this is useful
   to know which of your sites is trying to be accessed) and you can see when the
   page is reached. If an attacker then tries to login, it then sends another email,
   and in the subject line, this time, tells you the name they tried logging in 
   with for which site. The body of the email tells you the attackers IP address,
   Referral, Timestamp, and Username tried.
 * This is strictly a passive security alert plug-in, with no options, and is only
   meant to alert the admin of the site, of such login attempts. If say, you get
   30 emails in a row for a login attempt, that was not you, or for a name that 
   does not exist on your site, such as admin(which I don’t have on ANY of my WordPress
   sites), you then know to investigate and check if its a brute force attack, and
   if so, should block the persons IP address from reaching your site. If it was
   for a name that DOES exist, you should email the user, and ask them if they are
   trying to login, because any user who forgets their password, can use the password
   reset feature to let themselves back in. If the login attempts continued, its
   most likely an automated brute force attack.
 * To send an email to subscribers or other users of the site, every time they login,
   would be kind of spammy in my opinion. Only the admin needs to know when someone
   logs in, and should be the one to monitor the use of their WordPress based site.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[SB Uploader] Possible file type issue](https://wordpress.org/support/topic/possible-file-type-issue/)
 *  Thread Starter [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [13 years, 5 months ago](https://wordpress.org/support/topic/possible-file-type-issue/#post-3320100)
 * Well, without looking at the plug-in itself, I haven’t seen what source code 
   you used to add the plug-in to wordpress, but if there is an admin panel or role
   setting, I would make it administrator or editor, so people registering, who 
   are generally just subscribers, wouldn’t have access to the plug-in.
 * In general, low level users such as readers who register to make comments, such
   as subscribers only, should not have upload access to your site or be able to
   make blog posts. If they did, well, they they should have access to the default
   media uploader on blog posts and pages they add anyway, so limiting the role 
   to higher level users, would in my mind, mitigate abuse by subscribers of a site,
   for people who leave registration open to the public on their WordPress sites.
   By default, registration is turned off, so a site owner would have to enable 
   this. If it was a site that also used something like say, S2 Subscriber plug-
   in, to have access to paid for pages and posts, they generally only have read
   access to those pay for pages and posts or download content, but in general, 
   don’t have access to make blog posts or pages. If however this plug-in shows 
   up under their sign ons though, they could upload a reverse shell, and then root
   the site to deface it, read the wp-config.php file, inject a payload to overwrite
   the admins password in the data base with their own, and then login as the admin,
   change the admins email, etc.
 * So my suggestion, is make the plug-in available only to administrators or editor
   roles.
 * [http://codex.wordpress.org/Roles_and_Capabilities#Administrator](http://codex.wordpress.org/Roles_and_Capabilities#Administrator)
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WP Login Alerts by DigiP] Code modifications](https://wordpress.org/support/topic/code-modifications/)
 *  Plugin Author [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/code-modifications/#post-3191425)
 * Subject lines have been changed few revisions ago.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WP Login Alerts by DigiP] Email From!](https://wordpress.org/support/topic/email-from-1/)
 *  Plugin Author [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/email-from-1/#post-3337450)
 * Reason I changed it, is because some users use Gmail, and on some hosts, their
   SMTP servers will not send mail from a Gmail address to a Gmail address, and 
   people we’re not getting the login alerts. This was actually a fix, for a lot
   of people, not to mention mailer-daemon errors from Gmail, rejecting emails sent
   to them self unless explicitly white listed as such, and even then, some web 
   hosts, would not do it due to their own server side mail rules. By hard coding
   a “no-reply” address, it passes the mail test with 99% of web hosts and mail 
   hosts, and was noted in the change log the reason for the switch.
 * This is not a true bug though, and was actually more an issue for others before
   it was changed, than it is now. If you want, you can see in the code where I 
   changed it. I left the old code commented out.
 * [@summit](https://wordpress.org/support/users/summit/) thank you for showing 
   him the code.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[W3 Total Cache] W3 Total Cache critical Vulnerability disclosed](https://wordpress.org/support/topic/w3-total-cache-critical-vulnerability-disclosed-1/)
 *  [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/w3-total-cache-critical-vulnerability-disclosed-1/page/2/#post-3308745)
 * [@aitpro](https://wordpress.org/support/users/aitpro/) hope no offense was taken
   either way. Was not my intention, just wanted to illustrate a point that length
   with respect to the current password hashing scheme for wordpress alone is not
   a deterrent for attackers at this point in time and easy access to user names
   is all they really care about, since they usually just brute force logins once
   they know the user names and don’t care about needing the hash itself.
 * Still, password cracking is a common threat in todays landscape of GPU hardware
   based password cracking machines, and wordpress passwords in general are quickly
   broken in hash cracking competitions since the average user only uses a small
   subset of actual characters for their passwords, often limited to lowercase letters
   and numbers only and usually no more than 8 characters. Not to mention hash length
   extension attacks that use probability statistics in reducing the common key 
   space used to only commonly used characters and removing certain letters, special
   characters, etc, the process of cracking most(but not all) passwords becomes 
   even that much faster when you add additional cracking techniques.
 * Not trying to hijack the thread or to cause hysteria, but users should be aware
   of a number of security practices, not just htaccess control and strong password
   use, but also monitoring of login attempts, something I hope is someday implemented
   into wordpress itself to notify admins if a failed password attempt has taken
   place. There good thing is there are plug-ins to help users in that area to fill
   the void, including one I’ve written myself, but you don’t need to use mine to
   be able to log these attempts. There are plenty of other plug-ins that help with
   that regard and I would suggest every WordPress user consider using some form
   of login monitoring plug-in that emails the admins of attempts. Just one more
   layer in a balanced approach to securing your site, and something most users 
   would probably be surprised at how many people are already brute forcing their
   way into your sites already, directly against the login page of wordpress itself.
   One of the first things I do when setting up WordPress is install a login alerts
   plug-in, and change all usernames to use different nicknames for posts and comments,
   so attackers can’t use default names like admin to login with(which is a topic
   for a whole other discussion on why you should never setup wordpress with the
   username admin).
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[W3 Total Cache] W3 Total Cache critical Vulnerability disclosed](https://wordpress.org/support/topic/w3-total-cache-critical-vulnerability-disclosed-1/)
 *  [DigiP](https://wordpress.org/support/users/digip/)
 * (@digip)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/w3-total-cache-critical-vulnerability-disclosed-1/page/2/#post-3308743)
 * I would agree with most everything here, including best practices for htaccess
   and so forth, but I take issue with the statement “And just an FYI – if you are
   using secure passwords then you have nothing to worry about since one-way hashed
   passwords cannot be cracked.”
 * Hashcat with on a workstation with a number of GPU’s, can and will crack wordpress
   passwords, and people do it all the time. Collisions can and will happen. Especially
   passwords under 8 characters, will only take about an hour or two on a high end
   machine with multiple GPU’s doing the cracking. 8 or more characters take a bit
   longer exponentially for every character over 8 or more in length.
 * At a minimum, 14 or more would be more desirable as well as implementing your
   own form of two factor authentication, or doing as I do and disabling access 
   to wp-login.php and the wp-admin directory via htaccess for anyone other than
   my own IP.
 * Still, its not impossible to break, as the algorithm used to create the hash,
   can have any number of possibilities for the hash itself and its only a time 
   trade off issue as to when, not if, the password can be broken. Type in any word,
   and do it continually, the hash changes every time. I use this for myself, when
   I’ve forgotten the password on systems that don’t have the ability to email passwords
   or no SMTP setup, and I have to manually edit clients sites that need password
   resets, I can make my own and just paste in whatever this outputs directly to
   the database file itself and it works – [http://www.attack-scanner.com/pass.php](http://www.attack-scanner.com/pass.php)
 * If you are going to block access to indexes, be sure to block access to wp-login.
   php and wp-admin as well except for your own IP. Its a hassle to update the htaccess
   file every time your IP changes, but its worth it in my mind. Another alternative,
   is add htpasswd protection to the wp-admin directory so no one can login, which
   in some ways, adds a second layer of authentication. Just don’t use the same 
   login name and password for both htpasswd and your wordpress login, but that 
   should go without saying.

Viewing 15 replies - 1 through 15 (of 22 total)

1 [2](https://wordpress.org/support/users/digip/replies/page/2/?output_format=md)
[→](https://wordpress.org/support/users/digip/replies/page/2/?output_format=md)