Serious security issue (“WP Security Scan” plugin with “Login LockDown” plugin)

  • Resolved theeconomist

    (@theeconomist)


    16 years, 9 months ago

    I recentlly installed wordpress 2.8.4

    I changed “admin” user into “something-else” for security reasons (I did it in database) — I dont think that is relevant though!

    I added “Login LockDown” plugin, which locks IP range for some time, if there are several unsucessful login attempts. All was OK.

    Then I added “WP Security Scan” plugin and it seemed OK.

    BUT!!! When I tried several unsucessful login attempts, Login LockDown STOPED WORKING!

    It did write a notice that my IP range is blocked, but I could log in anyway (with correct password of course). So my IP was not blocked at all.

    If I disable “WP Security Scan” everything gets back to normal.

    So, in short… there is incompatibilty between these two plugins.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter theeconomist

    (@theeconomist)

    16 years, 9 months ago

    To be fair, it seems this problem only happens sometimes… I dont know why.

    But I did managed to log in multiple times, when I shouldnt be able to. And when I see the Login LockDown options panel I can see this:

    Currently Locked Out

    **.***.**.** (3 minutes left)

    **.***.**.** (4 minutes left)

    —-

    **.***.**.** is my IP address… the same in both cases.

    Samuel B

    (@samboll)

    16 years, 9 months ago

    I think the wp-security scan folks would be interested in this. Have you contacted them?

    mvandemar

    (@mvandemar)

    16 years, 8 months ago

    I have seen other threads indicating that WP Security scan does not always play well with other plugins that interact with the login process, although to be honest I have no idea why. I went through his code and did not see where it interacted with the login at all. Someone else reported this issue to me as well.

    I did notice that the current version of his plugin is supposedly only compatible up to WP 2.8, and both you and the other person who reported it causing issues with Login LockDown were using 2.8.4 (as you and everyone else should be, due to security holes in earlier versions), but again no idea if that is what the issue is. Also, for some strange reason the author of WP Security Scan has it flagged as being in beta in his readme file (although not indicated as such anywhere else), so I would take caution in using it in a live environment anyways.

    I will try and do some testing on it soon and see if I can replicate the problem.

    mvandemar

    (@mvandemar)

    16 years, 8 months ago

    I just updated Login LockDown. One of the things I fixed was an issue where locking out even on invalid usernames was not functioning as intended.

    TheEconomist, since you described the issue you were having as being somewhat random, it may be that it did not actually have anything to do with WP Security Scan. Can you please upgrade to Login LockDown 1.5 and let me know if you are able to replicate the issue still?

    Thanks.

    Thread Starter theeconomist

    (@theeconomist)

    16 years, 8 months ago

    Hello, mvandemar!

    I re-installed WP, just as I did last time (with the difference that this time during the installation I changed MySQL database tables names to something other than “wp_”)

    I installed “Login LockDown 1.5” as you advised. Then I added “WP Security Scan” plugin.

    This time there is no problem. If I lock out my IP, I can NOT log in.

    I DONT KNOW what went wrong last time, but since you mentioned that in the new “Login LockDown 1.5” you fixed an issue where locking out even on invalid usernames was not functioning as intended, there is possiblility that that was the cause of problems…. because I indeed was using function “Lockout Invalid Usernames” last time.

    Whatever the cause, thanks for updating Login LockDown.

    Cheers

    mvandemar

    (@mvandemar)

    16 years, 8 months ago

    TheEconomist – great! I am glad it is working for you now. This must mean that it was the bug you were encountering before then, and not an issue with wp-security-scan.

    If you get a chance, could you please go ahead and mark this thread as resolved please? Thanks! 🙂

    -Michael

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Serious security issue (“WP Security Scan” plugin with “Login LockDown” plugin)’ is closed to new replies.