Wrong error message when IP blocked by Loginizer

Resolved vivalis
(@vivalis)

2 years, 7 months ago

I have the same problem as the user that brought up this topic: https://ww.wp.xz.cn/support/topic/ultimate-member-and-loginizer/

I’ve implemented the solution in the linked topic, but it doesn’t work. I’ve added an error_log in the ‘um_submit_form_error_custom’ function, and it shows that $key is ‘user_password’ despite the IP being blocked by Loginizer.

Do you have an updated solution for this? Thanks in advance. Your great support is highly appreciated.

Kind regards, Roger

Viewing 13 replies - 1 through 13 (of 13 total)

missveronica
(@missveronicatv)

2 years, 7 months ago
@vivalis

Yes, the old Loginizer code snippet can’t be used any more.
Try to use this code snippet, where a list of valid Loginizer error codes
are sent for usage by the UM login script.
```
add_filter( 'um_custom_authenticate_error_codes', 'um_custom_authenticate_error_codes_loginizer', 10, 1 );

function um_custom_authenticate_error_codes_loginizer( $array ) {

    return array( 'ip_blocked', 'ip_blacklisted' );
}
```
Install the code snippet into your active theme’s functions.php file
or use the “Code Snippets” plugin.

https://ww.wp.xz.cn/plugins/code-snippets/
Thread Starter vivalis
(@vivalis)

2 years, 7 months ago

Thank you, Veronica. Your quick support is very appreciated. There remain 1 question and 1 problem:

Question: Do you happen to know why every failed login try in the UM login form counts as 2 login attempts in Loginizer?

Problem: When the IP is blocked or blacklisted, the Loginizer error message about exceeded maximum retries or blacklisted IP appears above the login fields. Problem is that the UM wrong password message also appears IF the password is wrong, but it doesn’t appear if the password is correct. That way, despite the IP being blocked, an attacker can keep trying to discover the correct password (correct pw is found when only Loginizer error message appears, but not the UM wrong pw message).
missveronica
(@missveronicatv)

2 years, 7 months ago
@vivalis

counts as 2 login attempts in Loginizer

I can’t reproduce this issue.
Have you disabled WP and WooCommerce login?

Problem is that the UM wrong password message also appears IF the password is wrong, but it doesn’t appear if the password is correct.

This updated code snippet will now disable any password error message from UM
when Loginizer having a valid error code.
```
add_filter( 'um_custom_authenticate_error_codes', 'um_custom_authenticate_error_codes_loginizer', 10, 1 );

function um_custom_authenticate_error_codes_loginizer( $array ) {

    return array( 'ip_blocked', 'ip_blacklisted' );
}

add_filter( 'authenticate', 'loginizer_um_integration', 10002, 1 );

function loginizer_um_integration( $loginizer ) {

    if ( ! empty( $loginizer )) {
        if ( $loginizer->get_error_code() == 'ip_blocked' || 
             $loginizer->get_error_code() == 'ip_blacklisted' ) {

            if ( isset( UM()->form()->errors['user_password'] ) ) {
                unset( UM()->form()->errors['user_password'] );
            }
        }
    }
    return $loginizer;
}
```
Thread Starter vivalis
(@vivalis)

2 years, 7 months ago
Thank you very much, Veronica. This works now and no UM wrong pw message is shown if there’s a Loginizer IP blocked/blacklisted error message. 👍

I have the following code to prevent access to the wp login page. Enabling/disabling this code doesn’t have an impact on every failed login try being counted as 2 login attempts in Loginizer. Is there a better way to disable WP login?
```
add_action('init','custom_login');
function custom_login(){
  global $pagenow;
  if( 'wp-login.php' == $pagenow && $_GET['action']!="logout") {
    wp_redirect( home_url() );
    exit;
  }
}
```
- This reply was modified 2 years, 7 months ago by vivalis.
missveronica
(@missveronicatv)

2 years, 7 months ago
@vivalis

This code snippet should work or the UM solution:

https://docs.ultimatemember.com/article/1337-replace-wp-native-login-urls

These are the hooks used by Loginizer during login
code copied from loginizer/init.php lines 306/319.
Do you have the add_action('wp_authenticate'... commented?
```
// Use this to verify before WP tries to login
// Is always called and is the first function to be called
//add_action('wp_authenticate', 'loginizer_wp_authenticate', 10, 2);// Not called by XML-RPC
add_filter('authenticate', 'loginizer_wp_authenticate', 10001, 3);// This one is called by xmlrpc as well as GUI

// Is called when a login attempt fails
// Hence Update our records that the login failed
add_action('wp_login_failed', 'loginizer_login_failed');

// Is called before displaying the error message so that we dont show that the username is wrong or the password
// Update Error message
add_action('wp_login_errors', 'loginizer_error_handler', 10001, 2);
add_action('woocommerce_login_failed', 'loginizer_woocommerce_error_handler', 10001);
add_action('wp_login', 'loginizer_login_success', 10, 2);
```
Thread Starter vivalis
(@vivalis)

2 years, 7 months ago

Yes, the line //add_action('wp_authenticate'... is commented in the init.php of my Loginizer installation…
missveronica
(@missveronicatv)

2 years, 7 months ago
@vivalis

Try this code snippet for more info about the Loginizer WP errors.

The code snippet will post all WP Redirects and WP Errors and stack trace
to the debug.log file in your wp-content folder.
```
add_action( 'wp_error_added', 'wp_redirect_custom_log', 10, 3 );
add_filter( 'x_redirect_by', 'wp_redirect_custom_log', 10, 3 );

function wp_redirect_custom_log( $x_redirect_by, $location, $status ) {

    global $current_user;

    $traces = debug_backtrace( DEBUG_BACKTRACE_PROVIDE_OBJECT );
    $plugin_trace = array();

    foreach ( $traces as $trace ) {
        if( isset( $trace['file'] )) {

            if ( strpos( $trace['file'], '/plugins/' ) > 0 ) {
                $file = explode( '/plugins/', $trace['file'] );
                if( substr( $file[1], 0, 22 ) != 'wp_redirect_custom_log' ) {
                    $plugin_trace[] = $file[1] . ':' . $trace['line'];
                }
            } 

            if ( strpos( $trace['file'], '/themes/' ) > 0 ) {
                $file = explode( '/themes/', $trace['file'] );
                $plugin_trace[] = 'T: ' . $file[1] . ':' . $trace['line'];
            }

            if ( strpos( $trace['file'], '/wp-includes/' ) > 0 ) {
                $file = explode( '/wp-includes/', $trace['file'] );
                $plugin_trace[] = 'WP: ' . $file[1] . ':' . $trace['line'];
            }
        }
    }

    $trace = date_i18n( 'Y-m-d H:i:s ', current_time( 'timestamp' )) . 'user_id ' . $current_user->ID;

    if ( is_numeric( $location )) {
        $trace .= ' redirect by ' . $x_redirect_by . ', ' . $location . ', ' .  $status;
    } else {
        $trace .= ' WP error code ' . $x_redirect_by . ', message ' . $location . ', data ';
        if ( ! is_array( $status )) {
            $trace .= $status;
        }
        
    }

    $trace .= ' stack trace: ' . implode( ', ', $plugin_trace );

    file_put_contents( WP_CONTENT_DIR . '/debug.log', $trace . chr(13), FILE_APPEND  );

    return $x_redirect_by;
}
```
missveronica
(@missveronicatv)

2 years, 7 months ago

@vivalis

I have added an UM bug report about the UM “Password is incorrect. Please try again.” error message.

https://github.com/ultimatemember/ultimatemember/issues/1355

Thread Starter vivalis
(@vivalis)

2 years, 7 months ago

Thanks, Veronica. The code snippet for debugging WP redirects and errors didn’t bring any clue.

missveronica
(@missveronicatv)

2 years, 7 months ago

@vivalis

Can you post here in the Forum an example of the double counts of retries traced by the code snippet.

Thread Starter vivalis
(@vivalis)

2 years, 7 months ago

Sure. This is the output of the code snippet after 1 failed login that counted as 2 attempts in Loginizer:

2023-11-06 16:25:22 user_id 0 WP error code invalid_username, message Fehler: Der Benutzername TestUser1 ist auf dieser Website nicht registriert. Falls Sie über Ihren Benutzernamen unsicher sind, versuchen Sie es stattdessen mit Ihrer E-Mail-Adresse., data stack trace: WP: class-wp-hook.php:312, WP: class-wp-hook.php:334, WP: plugin.php:517, WP: class-wp-error.php:209, WP: class-wp-error.php:66, WP: user.php:166, WP: class-wp-hook.php:310, WP: plugin.php:205, ultimate-member/includes/core/um-actions-login.php:64, WP: class-wp-hook.php:312, WP: class-wp-hook.php:334, WP: plugin.php:517, ultimate-member/includes/core/um-actions-form.php:172, WP: class-wp-hook.php:310, WP: class-wp-hook.php:334, WP: plugin.php:517, ultimate-member/includes/core/class-form.php:670, WP: class-wp-hook.php:310, WP: class-wp-hook.php:334, WP: plugin.php:517, WP: template-loader.php:13 2023-11-06 16:25:22 user_id 0 WP error code user_password, message Das Passwort ist nicht korrekt. Bitte versuchen Sie es erneut., data stack trace: WP: class-wp-hook.php:312, WP: class-wp-hook.php:334, WP: plugin.php:517, WP: class-wp-error.php:209, ultimate-member/includes/core/class-form.php:369, ultimate-member/includes/core/um-actions-login.php:84, WP: class-wp-hook.php:312, WP: class-wp-hook.php:334, WP: plugin.php:517, ultimate-member/includes/core/um-actions-form.php:172, WP: class-wp-hook.php:310, WP: class-wp-hook.php:334, WP: plugin.php:517, ultimate-member/includes/core/class-form.php:670, WP: class-wp-hook.php:310, WP: class-wp-hook.php:334, WP: plugin.php:517, WP: template-loader.php:13 2023-11-06 16:25:22 user_id 0 WP error code invalid_username, message Fehler: Der Benutzername TestUser1 ist auf dieser Website nicht registriert. Falls Sie über Ihren Benutzernamen unsicher sind, versuchen Sie es stattdessen mit Ihrer E-Mail-Adresse., data stack trace: WP: class-wp-hook.php:312, WP: class-wp-hook.php:334, WP: plugin.php:517, WP: class-wp-error.php:209, WP: class-wp-error.php:66, WP: user.php:166, WP: class-wp-hook.php:310, WP: plugin.php:205, ultimate-member/includes/core/um-actions-login.php:64, WP: class-wp-hook.php:312, WP: class-wp-hook.php:334, WP: plugin.php:517, ultimate-member/includes/core/um-actions-form.php:172, WP: class-wp-hook.php:310, WP: class-wp-hook.php:334, WP: plugin.php:517, ultimate-member/includes/core/class-form.php:670, WP: class-wp-hook.php:310, WP: class-wp-hook.php:334, WP: plugin.php:517, WP: template-loader.php:13 2023-11-06 16:25:22 user_id 0 WP error code user_password, message Das Passwort ist nicht korrekt. Bitte versuchen Sie es erneut., data stack trace: WP: class-wp-hook.php:312, WP: class-wp-hook.php:334, WP: plugin.php:517, WP: class-wp-error.php:209, ultimate-member/includes/core/class-form.php:369, ultimate-member/includes/core/um-actions-login.php:84, WP: class-wp-hook.php:312, WP: class-wp-hook.php:334, WP: plugin.php:517, ultimate-member/includes/core/um-actions-form.php:172, WP: class-wp-hook.php:310, WP: class-wp-hook.php:334, WP: plugin.php:517, ultimate-member/includes/core/class-form.php:670, WP: class-wp-hook.php:310, WP: class-wp-hook.php:334, WP: plugin.php:517, WP: template-loader.php:13

missveronica
(@missveronicatv)

2 years, 7 months ago

@vivalis

I can’t reproduce this issue with double authentication.
Try to do a Theme/Plugin conflict test.

https://docs.ultimatemember.com/article/96-how-to-do-a-plugin-theme-conflict-test

Plugin Support andrewshu
(@andrewshu)

2 years, 6 months ago

Hi @vivalis

This thread has been inactive for a while so we’re going to go ahead and mark it Resolved.

Please feel free to re-open this thread if any other questions come up and we’d be happy to help. 🙂

Regards

Viewing 13 replies - 1 through 13 (of 13 total)

The topic ‘Wrong error message when IP blocked by Loginizer’ is closed to new replies.