Missing core feature within your plugin, please add it, code attached

I will look into the code to see what has changed in the core function, and what the effect will be to add that in.

-Michael

Hi Michael

Thats easy to say. Nothing else as an hook for additioal things to do, when a login fails.
Core has added that, that other plugins can log “failed auth”.
Your function doesn’t have it.

Nothing change at all at YOUR functionality. But I can add for example an new hook:
add_action('wp_login_failed', 'mystuff');
This is working in the CORE function, but not in yours.

I need that hook, to ban people across the complete server, once they tried multiple sites in the network without luck.

Hope I get the update soon, that my plugin is running fine afterwards with your code.

Thanks for feedback
Regards Stefan

I get bruteforced since weeks and waiting on the serverwide protection to implement.

Otherwise I will forge your plugin with that small code added.

Cant wait any longer. Please send me an update if you will add it and around when the next release is planned if yes.

Regards

Stefan, are you referring to a Multisite installation when you say “across a network”?

-Michael

No. This action can be used by other plugins to “do” stuff when a login failed, like protocoll it to a blacklist (what I’m inteneded to do) and works without your plugin, as the action is present in the official wp_login from wordpress. But as your plugin is modifing it… as already said…

I want to add there the hook to protocoll it to global blacklist.
The blacklist can then be checked by other WP installations across the server or multiple servers and ban brutforces across multiple single or mu installations, across servers.

read here:
https://www.ads-software.com/support/topic/hook-for-fail-and-successful-login-actions?replies=2
Go into wp-includes/pluggable.php

check wp_authenticate() function. And see, Its there.

As your plugin replaces this pluggable function and your plugin is missing that, its not working.

I will really in some days add an automatism where your updates automatically adds this line of code and publish to wp.org as enhancement to your plugin.

AARGGGG found your mistake…

if ( 'yes' == $loginlockdownOptions['mask_login_errors'] ) {
	return new WP_Error('authentication_failed', sprintf(__('<strong>ERROR</strong>: Invalid username or incorrect password. <a href="%s" title="Password Lost and Found">Lost your password</a>?'), site_url('wp-login.php?action=lostpassword', 'login')));
} else {
	do_action('wp_login_failed', $username);
}

If I enable mask login errors, the code will not been used within your plugin, when I disable the login errors, the code is triggered.
The code need to be triggered in any case, as it is an error by the login…

Perhaps you can fix this..

do_action('wp_login_failed', $username);
if ( 'yes' == $loginlockdownOptions['mask_login_errors'] ) {
	return new WP_Error('authentication_failed', sprintf(__('<strong>ERROR</strong>: Invalid username or incorrect password. <a href="%s" title="Password Lost and Found">Lost your password</a>?'), site_url('wp-login.php?action=lostpassword', 'login')));
}

forge is made to solve the issue.
not published yet, will follow.

I did close the request.

Stefan, I see it now. I need to rewrite sections of the plugin anyway, I will incorporate the change in the next version.

-Michael