Help needed with Login Security Solution 0.34.0 problem

  • Resolved tomdkat

    (@tomdkat)


    13 years, 3 months ago

    I had been running Login Security Solution 0.34.0 just fine for over a month now until today. I was tinkering with another plugin when Login Security Solution started preventing me from logging in to WordPress. As part of my work on this other plugin, I was logging out and in to WordPress a lot. Eventually, Login Security Solution started reporting a potential attack and it started forcing me to verify my identity by having me change my password. NO new password I would enter would be accepted because it was determined to be insecure, regardless of how long and mangled it actually was.

    I managed to get back in to WordPress by logging in to the server via FTP and deleting the plugin directory. I know this isn’t a clean approach, but it was effective.

    So, I tried re-installing Login Security Solution and the installation went fine but as soon as I activated it, I was kicked out of the WordPress dashboard and presented with the page for me to enter a new password. Clearly, when I deleted the pluginn directory some files or settings got left behind.

    First, how can I properly “clean up” Login Security Solution?

    Second, how can I find out why Login Security Solution determined my site was under attack when ALL of my login attempts were successful?

    Thanks!

    http://ww.wp.xz.cn/extend/plugins/login-security-solution/

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author Daniel Convissor

    (@convissor)

    13 years, 3 months ago

    Here’s a stab in the dark guess based on the symptoms and problems that have been reported by others… Is your web server behind a proxy? That would cause all hits and login failures to show up as coming from one IP address. That means all login failures count against all users. See the FAQ for how to deal with proxies.

    Thread Starter tomdkat

    (@tomdkat)

    13 years, 3 months ago

    Thanks for the reply. No, the server isn’t behind a proxy. At this point, do you know what files or settings I should clear such that I can effectively “reset” Login Security Solution properly? As I wrote above, I uninstalled the plugin, then re-installed it and when I activated it, it immediately prompted me to reset my password even though I was already logged in to WordPress to uninstall and install the plugin.

    So, Login Security Solution must be looking at something to determine my password needs to be reset. If I can get that fixed, I think I would be in good shape. Otherwise, I can’t use Login Security Solution.

    Thanks!

    Peace…

    Plugin Author Daniel Convissor

    (@convissor)

    13 years, 3 months ago

    Hi Tomdkat:

    Perhaps the problem you ran into creating a good password is you’re using “leet” speak. So you think the password is “mangled” enough, but it’s really not, since leet conversions are quite common. Part of the plugin’s password strength checks converts leet speak to normal letters and then runs checks on that.

    Creating secure passwords isn’t hard and the plugin says what the shortcoming is. Once you pick a good password, you’ll be good to go.

    Just to make sure about something, can you please run the following query and post the result back here (or email it to me):

    select user_login, ip, count(*)
    from wp_login_security_solution_fail
    group by user_login, ip
    order by user_login, ip;

    Anyway, to ditch the settings, run these queries:

    DROP TABLE wp_login_security_solution_fail;
    DELETE FROM wp_options WHERE option_name LIKE ‘login-security-solution%’;
    DELETE FROM wp_usermeta WHERE meta_key LIKE ‘login-security-solution%’;

    Thread Starter tomdkat

    (@tomdkat)

    13 years, 3 months ago

    Hi! Thanks for the info! I’ll run the above query and will send the results via e-mail in a few minutes.

    Thanks! You’ve been VERY helpful!

    Peace…

    Thread Starter tomdkat

    (@tomdkat)

    13 years, 3 months ago

    Ok, I just sent you e-mail.

    Thanks again!

    Peace…

    Thread Starter tomdkat

    (@tomdkat)

    13 years, 3 months ago

    Ok, I got this problem resolved. Apparently, the theme I’m using had a call to “is_user_logged_in()” in a function in functions.php. “is_user_logged_in()” will call “wp_validate_auth_cookie()” to see if the user is currently logged in. The call to “wp_validate_auth_cookie()” causes the “wordpress_logged_in[HASH]” cookie to be dropped and as a result, EVERY user that visits the site will get this cookie set even though they haven’t logged in to WordPress at all.

    So, I changed the function in the theme’s functions.php file to simply NOT call “is_user_logged_in()” and I’m not getting any more “phantom” logins as being recorded by login security solution.

    Peace…

    Plugin Author Daniel Convissor

    (@convissor)

    13 years, 3 months ago

    Hi Tom:

    I modified the plugin to ignore failed cookie auth attempts if the username or password hash are empty. This is in version 0.35.0 that just came out.

    Thanks for the excellent research.

    –Dan

    Thread Starter tomdkat

    (@tomdkat)

    13 years, 3 months ago

    Thanks for the update and for the new release! 🙂

    Peace…

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Help needed with Login Security Solution 0.34.0 problem’ is closed to new replies.