login_security error

  • Resolved audeyoe

    (@audeyoe)


    8 years, 10 months ago

    In my PHP error log, I was seeing a whole bunch of errors related to login_security.php. I deleted the error so I can’t remember exactly the text, but it said something like “function expects an object.”

    I looked into the file and found that at the referenced lines (417 and 434), it’s trying to use the created $user object retrieved from get_user_by(). In most situations this is fine. But it turns out (which I tested by having it print the username prior to the error) that people were trying to hack my site by logging in as two specific usernames:
    admin (which I had previously deleted from the wordpress DB but still existed in the BPS login database – I cleared that up by deleting admin from the BPS login table)
    park-boulevard (which is the name of our domain, and would be part of all email addresses that employees would use to log in)

    I’m not sure why park-boulevard was able to pass through to this point, but the issue appeared that it was verified up to this point but couldn’t actually resolve to a user ID in get_user_by() leaving the $user object empty. I solved this as a temporary measure by encapsulating all of the code following the get_user_by() function in an if($user) statement.

    I’m not sure if there’s a better way to prevent that username from getting through up to that point, but I’m writing just to at least make sure that $user check gets added so the errors don’t come back in the next update.

    *******************************************************************************************************************
    // Log Only Account Lockouts for valid Users
    // X failed attempts in any X amount of time = account is locked period – Duration/threshold is totally unnecessary
    *******************************************************************************************************************
    */
    if ( $BPSoptions[‘bps_login_security_OnOff’] == ‘On’ && $BPSoptions[‘bps_login_security_logging’] == ‘logLockouts’) {

    $user = get_user_by( ‘login’, $username );

    // .53.8: Login by email address
    if ( ! $user && strpos( $username, ‘@’ ) ) {
    $user = get_user_by( ’email’, $username );
    }

    if ($user) { //added this (and then of course an end brace to close it)

    $LoginSecurityRows = $wpdb->get_results( $wpdb->prepare(“SELECT * FROM $bpspro_login_table WHERE user_id = %d”, $user->ID) ); //this line threw the error first

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author AITpro

    (@aitpro)

    8 years, 10 months ago

    Very interesting. We will do some testing and figure out the best way to do whatever needs to be done. Thanks for reporting this.

    Plugin Author AITpro

    (@aitpro)

    8 years, 10 months ago

    I am unable reproduce this problem on a test website. So just want to double check this information: Your domain name is: park-boulevard and the username that was being entered was: park-boulevard correct?

    Thread Starter audeyoe

    (@audeyoe)

    8 years, 10 months ago

    Yes, that’s correct.

    Plugin Author AITpro

    (@aitpro)

    8 years, 10 months ago

    Ok well that is exactly what I tested and did not see any php errors on my test site. I’m not really sure why you are seeing those php errors, but I’m guessing it has to do with the way/method the brute force login attack was done. ie a POST Request made to your WP login page or some kind of GET Request that was malformed. Logically if/when something invalid or incorrect is done with code you will see an error. So if the login request itself was fubar then you probably would not see a BPS Security Log entry logged for this since the Request would not have made it as far as being blocked by BPS since it was not an actual valid request. I think the simpler thing to do to prevent any php errors occuring from invalid login requests would be to suppress php errors on the $user object. Typically you do not want to suppress php errors because that would leave you “blind” for any sort of troubleshooting, but in this particular case/usage I think it is ok to do that: @$user = get_user_by( β€˜login’, $username );

    Plugin Author AITpro

    (@aitpro)

    8 years, 10 months ago

    Aha! Now I see how this php error occurred. You have WP_DEBUG turned On in your wp-config.php file. πŸ˜‰ I was able reproduce the php error by turning WP_DEBUG On. Important Note: You should only have WP_DEBUG turned On while you are debugging things. WP_DEBUG should normally be turned Off otherwise your website will experience performance issues. Also WP_DEBUG can cause some plugins and themes to malfunction if there are coding issues/problems in some pugins and themes so you do not want to leave it on permanently. πŸ˜‰ I’m now thinking that suppressing the php error is not a good idea afterall and will add some kind of appropriate condition for this scenario.

    Notice: Trying to get property of non-object in C:\xampp\htdocs9\demo2\wp-content\plugins\bulletproof-security\includes\login-security.php on line 417

Notice: Trying to get property of non-object in C:\xampp\htdocs9\demo2\wp-content\plugins\bulletproof-security\includes\login-security.php on line 434
    • This reply was modified 8 years, 10 months ago by AITpro.
    • This reply was modified 8 years, 10 months ago by AITpro.
    • This reply was modified 8 years, 10 months ago by AITpro.
    Plugin Author AITpro

    (@aitpro)

    8 years, 10 months ago

    Ok so here is what I beleive is the best solution:
    Code line 417 can be safely suppressed, but code line 423 needs to have the $user object condition added. Thanks for reporting this issue/problem. Has been fixed in BPS 2.3. πŸ˜‰

    417: @$LoginSecurityRows = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $bpspro_login_table WHERE user_id = %d", $user->ID) );
434: if ( $user && $wpdb->num_rows == 0 && $user->ID != 0 && ! wp_check_password($password, $user->user_pass, $user->ID) ) {
    Thread Starter audeyoe

    (@audeyoe)

    8 years, 10 months ago

    I’m well aware, I was using debug mode to identify errors and issues to be able to fix them. The error occurs either way, you just don’t see it if it’s not logged.

    So, yes, thank you. I just wanted to be sure the error wouldn’t continue to happen.

    Plugin Author AITpro

    (@aitpro)

    8 years, 10 months ago

    Yep, agreed. It is important to note the difference between PHP error types. Strict and Notice PHP errors are not considered critical, but Parse, Warning and Fatal should be considered critical PHP errors. Thanks again for reporting this. πŸ˜‰

    Strict – PHP will suggest making changes to the code which will ensure the best interoperability and forward compatibility of the code.
    Notice – Run-time notices. Indicate that the script encountered something that could indicate an error, but could also happen in the normal course of running a script.
    Parse – Compile-time parse errors. Parse errors should only be generated by the parser. Indicates a syntax error in the code.
    Warning – Run-time warnings (non-fatal errors). Execution of the script is not halted.
    Fatal – Fatal run-time errors. These indicate errors that cannot be recovered from, such as a memory allocation problem. Execution of the script is halted.

    • This reply was modified 8 years, 10 months ago by AITpro.
    Plugin Author AITpro

    (@aitpro)

    8 years, 10 months ago

    Also you are probably already aware of this, but if you submit a POST Form Request while WP_DEBUG is turned On then are you going to see PHP Warning errors > Warning: Cannot modify header information – headers already sent. I believe that is because WP_DEBUG already sends the headers, but don’t quote me on that. πŸ˜‰

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘login_security error’ is closed to new replies.