Resend button spam

  • Resolved dowista

    (@dowista)


    2 years, 3 months ago

    Hello. Problem that you can press resend button many times as you want, and spam mail box with codes. How edit plugin for some delay before send code again or restrict IP address for too many code requests.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter dowista

    (@dowista)

    2 years, 3 months ago

    If anyone need countdown at resend button, open: includes/classes/Authenticator/class-login.php

    find and add:

    <p class="2fa-email-resend">
<input type="submit" id="MyBtn" class="button"
 name="<?php echo esc_attr( self::INPUT_NAME_RESEND_CODE ); ?>"
 value="<?php esc_attr_e( 'Resend Code', 'wp-2fa' ); ?>"/> 
<span id="countdown">0:00</span>
</p>

    and after this add script:

    $('#MyBtn').prop('disabled',true);
             startCountDown();

                $("#MyBtn").click(function() {
  $('#MyBtn').prop('disabled',true);
  $('#countdown').show();
  startCountDown();
});

           function startCountDown() {
  var minutes = 0,
    seconds = 59;
  $("#countdown").html(minutes + ":" + seconds);
  var count = setInterval(function() {
    if (parseInt(minutes) < 0 || parseInt(seconds) <=0 ) {
      $("#countdown").html(minutes + ":" + seconds);
      clearInterval(count);
      $('#MyBtn').prop('disabled',false);
      $('#countdown').hide();
    } else {
      $("#countdown").html(minutes + ":" + seconds);
      seconds--;
      if (seconds < 10) seconds = "0" + seconds;
    }
  }, 1000);
}
    Plugin Contributor robertabela

    (@robert681)

    2 years, 3 months ago

    Thank you for using our plugin dowista.

    I am afraid I am not understanding the problem; to access that button / functionality you need to submit the correct credentials. Then, what is the risk here? The users spamming their own mailbox?

    The issue here is that the more checks and limitations that you add, the more complex things become and the more restricted the user experience is.

    Looking forward to hearing from you.

    Thread Starter dowista

    (@dowista)

    2 years, 3 months ago

    Hello. Thank you for your answer @robert681

    to access that button / functionality you need to submit the correct credentials. Then, what is the risk here? The users spamming their own mailbox?

    Please think deeper. Firstly, why we use this plugin? To protect accounts, protect admin area from unauthorized login. Yes, you are correct, users who login with their data, probably they wont spam mailbox. But if hacker or person who want harm your website will get login data? They can spam mailbox, until website host IP will be marked as a spam. For example, why companies witch use 2FA steps, they have delay before you can send your code again.

    You can use two layers of protect from this spam:

    #1 You can use script. After code resend button press, you can disable button for some time.

    #2 Make limit login attempts in website. For example after 5 login attempts / 5 code resend, account or IP will be restricted for some time and user will be inform about that in email.

    Plugin Contributor robertabela

    (@robert681)

    2 years, 2 months ago

    Thank you very much for the detailed information and explanation, Dowista.

    I have added this to our to do list so we can see how / if we can improve this. By the way, we already have a plugin which limits login attempts on WordPress.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Resend button spam’ is closed to new replies.