I have noticed that discovering user names via the ?author= URI is still possible when the Block Author Query feature is set to ?On, redirect requests to the home page.? This is not the expected behaviour and a security problem.
The problem has occured on a productive website, and I was able to reproduce it on a fresh install with WordPress 6.1.1.
]]>Hello,
Will you tell me is Login Security Solution GDPR Compliant?
Thank you
]]>Ran php-compatibility-checker, and it came up with this, and only this error.
############################################################
############################################################
Name: Login Security Solution
FILE: ~/wp-content/plugins/login-security-solution/login-security-solution.php
—————————————————————————————————————
FOUND 1 ERROR AND 1 WARNING AFFECTING 2 LINES
—————————————————————————————————————
969 | ERROR | Extension ‘mysql_’ is deprecated since PHP 5.5 and removed since PHP 7.0; Use mysqli instead
1485 | WARNING | INI directive ‘safe_mode’ is deprecated since PHP 5.3 and removed since PHP 5.4
—————————————————————————————————————
Update Available: 0.56.0; Current Version: 0.48.0;
############################################################
############################################################
Sorry, I don’t know how to read PHP, but below is the actual code snippet.
Looks like a pre-check/fallback code. An error that can be ignored? :
############################################################
############################################################
963 }
964 ###$this->log(__FUNCTION__, $this->sleep);
965
966 if (!defined(‘LOGIN_SECURITY_SOLUTION_TESTING’)) {
967 // Keep login failures from becoming denial of service attacks.
968 if (empty($wpdb->use_mysqli)) {
969 mysql_close($wpdb->dbh);
970 } else {
971 mysqli_close($wpdb->dbh);
972 }
973
974 sleep($this->sleep);
975
976 $wpdb->db_connect();
977 }
978
979 return $this->sleep;
980 }
I’ve apparently made an error in setting up my reCaptcha(v3) or in copying and pasting the site key and/or secret key.
Now I’m effectively locked out from my own dashboard – when I attempt to login I get:
ERROR for site owner: invalid key type and the reCaptcha logo
I’ve used cpanel to remove the Login Security Solution plugin, but continue to get the error when I attempt to log in.
HELP!?
]]>Hi,
I like your plugin and hope that you will be updating it again before long!
When you do, here is an issue that should be simple to address.
Your options page throws two error notices:
Notice: screen_icon is deprecated since version 3.8.0 with no alternative available. in /[path to]/wp-includes/functions.php on line 3843
Notice: get_screen_icon is deprecated since version 3.8.0 with no alternative available. in /[path to]/wp-includes/functions.php on line 3843
This forum post seems to provide the answer on how you can fix this:
I’m looking forward to your next update!
]]>Would it be possible to limit the stricter requirements for login to only some user levels? It would be great if, for example, Subscribers would be exempt from the higher login requirements required by this plugin.
]]>In the french translation there is a error in the message displayed when the grace period to change password is over in the login page to accesss admin section in wordpress.
in the file : login-security-solution-fr_FR.po
# @ login-security-solution
#: login-security-solution.php:718 tests/LoginMessageTest.php:78
msgid “Please submit this form to reset your password.”
msgstr “Veuillez remplir ce formulaire pour ré-initialiser votre mor de passe.”
We should read ‘mot de passe’ and not ‘mor…’ as ‘mor’ is not a real word in french….it’s just a small typo in the translation..
Could you please check to fix it for the next release And tell me the right way to fix it while waiting for the plugin correction.
Thank
]]>To check some things out, we deactivated all plugins, then reactivated them. Login Security Solution has now put a large message at the top of the plugins page telling me to have everyone change their passwords. Everyone’s passwords are very strong, so this is not needed.
A few years ago, I remember being able to turn this message off, but cannot find how to do that now. Does anyone know how to do this? This message is taking up a lot of real estate on the page and we can’t get rid of it.
Thanks!
]]>Feature Request: configurable email subject line
I know that “ATTACK HAPPENING TO” is intended to shout an obvious warning message to the email recipient. But there are situations where some other, milder subject line might be more appropriate.
Since there is very little that you can do while an attack is underway anyway, the ALL CAPS SUBJECT LINE seems unnecessarily alarmist for some recipients.
In my experience with this plugin, it has proven to be a sad eye-opener that hacking attempts happen regularly on many (most?) websites. Combined with the fact that the email is just a notification that the plugin is doing its intended job correctly, and that you are in no imminent danger, a less alarming subject line could be appropriate.
In some ways, the subject line is not accurate or reflective of the situation, or suggests something worse than is happening. It is really an attack attempt that is occurring. An “attack attempt is being repelled”.
New site owners freak out the first several times they see the message. I always need to prepare the site owners ahead of time that they will be receiving those messages, and that they really don’t need to worry about them. And then I need to reassure them several times: after they receive the first one, and after they receive several more. And then again some months later when they have grown tired of seeing these. “No, you really don’t need to worry about those messages. No, there is really nothing that needs to be done. Yes, the plugin is working and there is nothing to worry about.”
I recommend that a configurable subject line, or option to choose between subject lines, (even if you keep the current one as the ‘default’ option) would be a big improvement.
It would also help if there were an option to NOT send the email message to the site’s default email address, but rather only to the additional address(es) that you can enter.
Thanks. Great plugin!
]]>Just curious, and wondering if anyone knows about this:
How do hackers find out the user-names of registered users?
One of our user accounts has a unique and not-obvious user name; it contains letters and numbers in an non-intuitive pattern. Login Security Solutions notified me that an attacker was trying to gain admittance using that user-name. It seems unlikely that they randomly guessed that user-name. How do they get a hold of them? What are some of the ways they can ‘learn’ user names?
Related question: are user names case-insensitive?
]]>Hi there,
I use your login security plugin, I have question concerning notifications. Is it possible to check if our user tries to log in and somewhere else or the IP address of the user changes?
I would like to upgrade PHP to Version 7
I ran a compatability checker and it tells me that Login Security Solution is not compatible with 7
ERROR | Extension ‘mysql_’ is deprecated since PHP 5.5 and removed since PHP 7.0; Use mysqli instead
Is this going to be fixed ?
]]>Hi there. Its been over 365 day since “Login Security Solution” has been updated. I Love this plugin and REALLY want it to keep working. Could the developer(s) please review the compatibility with the latest version of WordPress and make an update to keep it fresh on the repository?
Many Thanks.
Richard
]]>Hi !
An Content Encoding Error “The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.” is raised when the user is redirected to this address :
mysite.com/?redirect_to=%2Fwp-admin%2F&action=login&login-security-solution-login-msg-id=idle
Any idea how to fix that ?
Thanks for support
BR
]]>Does this plugin add Captcha so that user has to fill that in before logging in?
]]>Firstly, thank you Daniel for a great plugin. You have protected my site numerous times.
My site is currently under attack, for over 3 hours now. Login security solutions is blocking the attempts, but it is nervewracking to watch it happening.
Is there anything else I can do to stop it?
Thanks
Karen
I probably missed some announcement awhile ago, so this question may be redundant to some. I keep getting a message when I am trying to log into my sites that “this connection is not secure.” It is very annoying and I can’t get rid of it. Since it is obviously something that WP implemented that I was not aware of, I’m not even sure what it means. And understanding all the ramifications of hacking, etc. is way above my knowledge level. Nobody needs to access my sites but me. I really don’t want another set of usernames and passwords. I’m getting too old to begin having to make things more complicated than I need. Can someone tell me how to fix this problem. What do I need to make these annoying warnings go away? Thank you anyone for your help.
]]>Hi,
I saw similar requests in this forum earlier but no fix if i understand it right, please excuse If I did get it wrong. I really like this plugin but would need to set the password strength to 7 keys instead of 10. Automatically the plugin enforces a minimum of 10 keys. While I love that the plugin enforces the use of upper and lower case and special symbols my client wants me to use 7 keys as 10 is too much for them. The site is hosted on their own server as an intranet using their own security on top.
If there is a tweak to this it would be highly appreciated.
Best regards,
Max
Hi Community,
I just started using Login Security Plugin and am convinced of its high potential and would love to use it for my website. I set it up and it seems to work perfectly fine. I was urged to change the password for all other users apart from the administrator after the install. I went ahead and did that. This resulted not only in all users having to change their password but also me as administrator having to change my password for some reason I am not aware of. When entering my usual username and password I am informed that my PW has to be updated, I am prompted to enter my email address and a mail with the updatelink will be sent to me. I enter the email address but the mail does not get sent. I get the message “mail could not be sent. Possible reasons the function mail() is deactivated”. Same happens to all other users.
I did not find this function setting or the reason for the mails not being sent.
Please let me know if you are aware of this issue and have a possible solution. I would really appreciate it.
Best regards,
Max
Hello,
Your plugin is only one error away of being able to be run without errors with PHP 7.
From the scan the problem to fix is the following :
– file : /login-security-solution/login-security-solution.php
– error : 1013 | ERROR | Extension ‘mysql_’ is deprecated since PHP 5.5 and removed since PHP 7.0 – use mysqli instead.
Could you fix this one please ?
]]>Hi,
I am trying to figure something out for a client.
We have a multisite in place and a certain user acocunt seems to get locked out every other day and is forced to reset his password.
He always receives this mail:
Someone just logged into your ‘xxxxxxxxxxxx’ account at xxxxxxxx. Was it you that logged in? We are asking because the site happens to be under attack at the moment.
To ensure your account is not being hijacked, you will have go through the ‘Lost your password?’ process before logging in again.
If it was NOT YOU, please do the following right away:
* Send an email to [email protected] letting them know it was not you who logged in.
Now, since he’s the only user that gets locked out: is it just bad luck, that he happens to login during an attack or might there be a problem with his user account?
Thanks!
Stefan
]]>I’m working on a project where we would like to force all existing users to change/reset their password every 90 days. It looks like that is possible with this plugin, but your plugin description says that the Password Aging feature is not recommended. Why is that?
]]>If you are editing a page, you are on the page and you go out then come back in some minutes and continue to edit than you save you see the message is past over 30 minutes (in my case) from the last activity log in you need to relogin again. You do the re login but all edit you have made on the page will be lost.
When you log in you are redirected to the Dashboard in my case and if you go back with browser all edit you done are lost.
https://www.ads-software.com/plugins/login-security-solution/
]]>I have a user who is essentially never able to log in, they are always forced to reset their password. The password reset utility usually also results in locking out the account rather than getting into the account.
I generally end up resetting their password every time they need to log in or publishing their content for them.
Any ideas on how 2 users on the same network can function so differently?
https://www.ads-software.com/plugins/login-security-solution/
]]>Hi,
i had set up the plugin to only allow my iP address to access the WP admin login page, this was fine for about 1 week, but now of course my IP address has changed i cant access the site login.
Whats the easiest way around this, would it be to ftp onto cpanel and disable the plugin?
Also, how do i avoid this issue in future?
Many thanks
Marco
https://www.ads-software.com/plugins/login-security-solution/
]]>On the password change screen, if a use picks an invalid password (such as too short), a message will show up at the top saying “Password is too short”. However, these error messages show up with a blue stripe beside them (“info” messages) instead of a red strip (“error” messages). Would it be possible to change this so that any problem with the password is shown as an error instead? I think this would make it more intuitive and user-friendly.
You can do this using the WP_Error object and returning it on the “wp_login_errors” hook.
https://www.ads-software.com/plugins/login-security-solution/
]]>Hi – Is there anything I can do to resolve the following issue.
We have a reverse-proxy in front of our WordPress site, so the client IP address is always that of the reverse-proxy. This obviously doesnt help when lots of different users are entering incorrect passwords as it appears though we’re being hit from the same IP address.
Can this plugin be modified to use the x-forwarded-for header instead.
https://www.ads-software.com/plugins/login-security-solution/
]]>Hi, I happened to login to my site at the same time an attacker was brute forcing using I’m guessing my username. So, the plugin is forcing me to reset my password. Unfortunately, I’m not getting the email to reset the password. Can I just login to my server and delete the plugin files, then reinstall after? Will that work, or do I need to do something in the database or something? I need to get in and edit my website ASAP, so please get back with me. Thanks.
https://www.ads-software.com/plugins/login-security-solution/
]]>Hello,
I’m using your plugin with Avada ThemeFusion and WooCommerce, but no amount of fiddling with the settings in Login Security Solution is changing anything on the front end for user login.
It seems that WooCommerce is still running the password requirements (and they are absolutely insane)
Any help would be much appreciated!
https://www.ads-software.com/plugins/login-security-solution/
]]>Hello,
I’m using your plugin and love the way it handles multiple login attempts.
In the same time, I would like to have the opportunity to control the password strength/complexity policy.
I do not like the way it is enforcing ‘too strict’ (for us!) password strength/complexity policy.
More than that, I do not like the fact it give the admin no way of changing this policy (not able to choose minimum password length/strength/complexity) or whether or not to enable password management..
I do not expect you to change the plugin for our needs, especially not if it is good as is for most of your users, but is there a way for me to change this king of behavior?
I’m asking this since I did see many threads from other users having the same “problems” we have – users having real difficulties finding an acceptable password.
Thank you!
https://www.ads-software.com/plugins/login-security-solution/
]]>