Custom wp_login_form don't redirect to wp-login.php

  • Resolved bsteinlo

    (@bsteinlo)


    9 years, 6 months ago

    Hey all!

    I have a custom wp_login_form() on a page that if a user successfully logs in gets the page content.

    I have set my login attempts to 3, before getting locked out.

    I have a function that redirects the user to the same page if login fails

    add_action( 'wp_login_failed', 'custom_login_failed' );
function custom_login_failed( $username )
{
    $referrer = wp_get_referer();

    if ( $referrer && ! strstr($referrer, 'wp-login') && ! strstr($referrer,'wp-admin') )
    {
        wp_redirect( add_query_arg('login', 'failed', $referrer) );
        exit;
    }
}

    I am also printing an error message for the user with ` if(isset($_GET[‘login’]) && $_GET[‘login’] == ‘failed’) {
    echo'<div id=”login-error” style=”background-color: #FFEBE8;border:1px solid #C00;padding:5px;”>’;
    echo’Login failed: You have entered an incorrect Username or password, pease try again.’;
    echo'</div>’;
    }`

    Everything works great, however after the 3rd unsuccessful attempt, it redirects to the standard wp-login.php backend with the login lockdown error message. Is there a way to keep the user on the current page and display the login lockdown message there?

    https://www.ads-software.com/plugins/login-lockdown/

Viewing 11 replies - 1 through 11 (of 11 total)

  • After the user is logged out, if you return to the custom page manually and try again, does it still redirect you back to the wp-login.php? My plugin doesn’t do any redirecting on it’s own, it just returns a new WP_Error:

    if ( "" != isLockedDown() ) {
			return new WP_Error('incorrect_password', "<strong>ERROR</strong>: We're sorry, but this IP range has been blocked due to too many recent " .
					"failed login attempts.<br /><br />Please try again later.");
		}

    I am not sure where the default redirect is coming from.

    -Michael

    Thread Starter bsteinlo

    (@bsteinlo)

    Hi Michael-

    Thanks for the response. I’ve disabled all backend capabilities for subscribers, so they can’t logout in the traditional sense.

    I’m seeing in your code a countFails function. I was wondering if there’s a way to utilize that as a counter.

    Something like if ($numFails === 3) { //do something }

    It’s difficult to say without knowing what the solution would be without knowing why it’s happening. Does it happen on subsequent login attempts as well, after locking the user out? Or just on the third one?

    -Michael

    Thread Starter bsteinlo

    (@bsteinlo)

    I ended up just counting the session and printing a warning with

    session_start();  

      if (isset($_SESSION['loginCount']))
      {
         $_SESSION['loginCount']++;
         if ($_SESSION['loginCount'] > 3)
         {
           echo 'Your IP has been banned! Please try again later.';
           exit;
         }
      } else {
         $_SESSION['loginCount'] = 1;
      }

    Works great!

    On another note, I saw in another post about Whitelisting an IP with wrapping lines 442-447 with `if( “xxx.xxx.xxx.xxx” == $_SERVER[‘REMOTE_ADDR’] ) {
    //lines 442 – 447 go here
    }`

    So, basically:

    if( "xxx.xx.xxx.xxx" == $_SERVER['REMOTE_ADDR'] ) {
			incrementFails($username);
			if ( $loginlockdownOptions['max_login_retries'] <= countFails($username) ) {
				lockDown($username);
				return new WP_Error('incorrect_password', __("<strong>ERROR</strong>: We're sorry, but this IP range has been blocked due to too many recent " .
						"failed login attempts.<br /><br />Please try again later."));
			}
		}

    I just want to verify that this will basically whitelist a specific IP from the Login Lockdown trigger?

    No, that’s backwards. You would want “if ip does not equal”, not if it does equal. Otherwise it would only try and lock out that 1 ip address on failed logins, and all others would be effectively whitelisted. So, if it’s just 1 ip and it doesn’t change much, then:

    if( "xxx.xx.xxx.xxx" != $_SERVER['REMOTE_ADDR'] ) {
			incrementFails($username);
			if ( $loginlockdownOptions['max_login_retries'] <= countFails($username) ) {
				lockDown($username);
				return new WP_Error('incorrect_password', __("<strong>ERROR</strong>: We're sorry, but this IP range has been blocked due to too many recent " .
						"failed login attempts.<br /><br />Please try again later."));
			}
		}

    Try that and let me know how it works.

    -Michael

    Thread Starter bsteinlo

    (@bsteinlo)

    I tried that, with my IP and it still triggers the lockout.

    Just looking for the simplest way to whitelist an IP from ever being locked out

    I would try some debug code, make sure that what the server is seeing as your ip address is the same as what you show, eg put this in there:

    die($_SERVER['REMOTE_ADDR']);

    right after the if statement.

    -Michael

    @bsteinlo – just to be sure, you did replace “xxx.xx.xxx.xxx” with your actual ip address, yes…?

    -Michael

    Thread Starter bsteinlo

    (@bsteinlo)

    Ha, yes – I definitely replaced the xxx’s with my IP ??

    Printing my IP helped, it was an error of my localhost IP.

    I changed the if statement to include both with an or statement and it works great. I then spoofed my IP, and voila im locked out!

    Perfect, thanks so much for the plugin and support. Is there a repo for this? I’d be happy to make a pull request and add this as a backend feature to whitelist IPs, as it might be useful for others.

    It’s on my todo list, although of course I will be storing the ips in the database and not hardcoding them. It’s actually a relatively small change, I will see if I can get to it this weekend or early next week.

    -Michael

    Thread Starter bsteinlo

    (@bsteinlo)

    Yeah, of course-I was thinking of another option field in the backend with a textarea that you can define IPs, store them to the DB and use those to whitelist in the code above.

    Thanks again.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Custom wp_login_form don't redirect to wp-login.php’ is closed to new replies.