User Login issues

  • Resolved Handoko

    (@handoko-zhang)


    12 years, 11 months ago

    I’m a new user of this plugin. It seems great so I set some testings before I use it on my websites.

    I found somethings that are not working correctly. So far I only tested the features related with User Login and were only tested on multisite environment, not sure if these problems will also happen or not on a single-site installation. For avoid my IP being blocked, I used TOR which allow me to have an extra IP to perform the login attempts.

    I installed this plugin on a multisite environment, enabled the login lockdown on one of the site with test settings:
    – Enable Login Lockdown Feature: enabled
    – Max Login Attempts: 2
    – Login Retry Time Period (min): 5
    – Time Length of Lockout (min): 10
    – Notify By Email: enabled

    1. Time Length of Lockout issue

    Great it really lockout the bad login after 2 attempts. Here is the message appeared:

    401 Unauthorized
    Proper authorization is required to access this resource! Powered By LiteSpeed Web Server
    LiteSpeed Technologies is not responsible for administration and contents of this web site!

    But the problem is the lockout period is not 10 minutes. I can access the login page again only after several seconds.

    2. Email Notification issue

    I received no email notification, I even checked the spam mailbox. I found no notification.

    3. Fail Login Record issue

    On the fail login record, there is nothing there.

    4. Account Activity issue

    I login, logout and generated failed logins on the subdomain site. But there is nothing on the account activity logs.

    http://ww.wp.xz.cn/plugins/all-in-one-wp-security-and-firewall/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Contributor wpsolutions

    (@wpsolutions)

    12 years, 11 months ago

    Hi @handoko,
    Thanks for the info – we really appreciate it and it will help us make this plugin more user-friendly and robust.

    We will go through each of the points listed by you and try to reproduce these on our multi-site test platform and address any problems we uncover.

    PS: We are aware of some multi-site bugs with our plugin and are addressing them currently.

    rexgoode

    (@rexgoode)

    12 years, 10 months ago

    If it helps your investigations, here is what I have found. I have many multi-site (network) sites.

    I haven’t tested it as thoroughly as above, but I have different results.

    The lockout time works for me. I get the email notification. The failed logins are recorded in Failed Login Records. Account Activity is also working for me.

    Thread Starter Handoko

    (@handoko-zhang)

    12 years, 10 months ago

    Could it be my server issue? But I also tested on my other website (which also on the same server), it works correctly just as rexgoode said. So it seems less likely to be the server issue.

    I guess it might be conflict with my other plugins. I will test it again tomorrow.

    Thanks rexgoode for the information.

    rexgoode

    (@rexgoode)

    12 years, 10 months ago

    @handoko, I will be watching this thread. Though it worked for me when I tested it, I’ve often seen brute force attacks on some of my installations that seemed to ignore these settings. I hope you will share whatever you find.

    Thread Starter Handoko

    (@handoko-zhang)

    12 years, 10 months ago

    @rexgoode, I found that TOR browser will automatically change IP every several minutes which cause my tests about the lockout time became not accurate. About the login records and user activities, I reinstalled this plugin and now they seems working correctly. I’m going to this plugin in my ‘real’ website, and will report back later.

    Thread Starter Handoko

    (@handoko-zhang)

    12 years, 10 months ago

    Hello, I’m back to report my new test results.

    === Settings for The Test ===

    WordPress: version 3.6 Multisite
    All In One WP Security & Firewall: version v2.1.1
    Browser: TOR version 0.2.2.37

    Sites:
    – site1 (main site)
    – site2 (sub domain site)
    – site3 (sub domain site)

    All In One WP Security & Firewall:
    – Installed and network activated
    – Login Lockdown only enabled on site2
    – Max Login Attempts: 2, Login Retry Time: 3, Length of Lockout: 5
    – Notify By Email: enabled

    Login URLs tested:
    – site1.mysite.com/wp-login.php
    – site2.site1.mysite.com/wp-login.php
    Note:
    This multisite is installed and mapped correctly as a subdomain. So the main site (site1) is showed as a subdomain of mysite. Mysite is a fake name of my real domain.

    === Test Results ===

    I generated many fail login attempts on site1 and I received an error saying my IP has been blocked. Then, I can’t access the login page, it said “401 Unauthorized”.
    Conclusion: Login Lockdown works on the main site, even I only enabled it on a sub site.

    I generated many fail login attempts on site2 and it worked too.
    Conclusion: Login Lockdown works on the sub site I enabled it.

    After performing the login attempts, on the Failed Login Records of site2, there was nothing being recorded.
    Conclusion: Failed logins are not recorded on the sub site I enabled it.

    I went to the Failed Login Records of site1, those fail logins successfully being recorded. But it seemed only the failed logins of site1 were being recorded, not the site2. I know it because I was using different usernames for testing each of the site.
    Conclusion: Fail logins are recorded on the main site, and only failed logins of main site are being recorded.

    I checked my email. One of the notification email went to my spam box. The notification seems working but all the notifications said “Username: unknown” although on the Failed Login Records screen, the usernames were recorded correctly.
    Conclusion: Email notification works but it always tell you username = unknown.

    === Notes ====

    My webhost company is strict about security. If I make to many failed logins, my IP will be permanently blocked by the server firewall, which mean I will need to contact them to explain why that happened. For this reason, I use TOR during the testings. The disadvantage of using TOR is it will randomly change the IP every few minutes, which make the test for Login Retry Time Period not accurate.

    My tests show the “User Login” features work, but there were some small issues, which seems the plugin failed to handle multisite settings correctly.

    I also started a topic about multisite issue here:
    http://ww.wp.xz.cn/support/topic/multisite-compatible-20

    I like this plugin, hope the developer can fix all the issues soon.

    Plugin Contributor wpsolutions

    (@wpsolutions)

    12 years, 10 months ago

    @handoko,
    Thanks for the detailed info and testing – we appreciate it.
    We will try to address the above points in upcoming versions of the plugin.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘User Login issues’ is closed to new replies.