IP address change flaw | ww.wp.xz.cn

Resolved greentown66
(@greentown66)

9 years, 10 months ago

The plug works great, but there seems to be a flaw in the security. When testing out the maximum attempts set at 3, lockout was successfully activated at a set time of 60 minutes. But when I turn my phone off and then back on, I can attempt 3 more times without waiting for the 60 minutes lockout time to expire. This was tested on a different IP address to confirm the security of the plugin. I noticed every time I turned the phone on and off, the IP address changed, which give me more attempts to brute force my way in.

https://ww.wp.xz.cn/plugins/loginizer/

Viewing 1 replies (of 1 total)

Plugin Contributor loginizer
(@loginizer)

9 years, 9 months ago

Hi,

Loginizer basically restricts IP based hacking attempts.
The only way to identify a client is by the IP address.
Generally anyone doing a brute force attack will not have so many IPs.
Brute force attempts on an average need 1000s of attempts.
So a person must have 1000/3 (guestimate) number of IPs which is very difficult to get.

Viewing 1 replies (of 1 total)

The topic ‘IP address change flaw’ is closed to new replies.

Tags

login-attempts

1 reply
2 participants
Last reply from: loginizer
Last activity: 9 years, 9 months ago
Status: resolved