Question about resetting passwords

  • Resolved tomdkat

    (@tomdkat)


    11 years, 11 months ago

    I maintain a blog which is currently under attack. Login Security Solution has been notifying me about the failed login attempts, as its supposed to. However, I’ve run into an interesting situation and here’s the scenario:

    A hacker uses my WordPress login id in an attempt to login to WordPress. The attempts fail repeatedly. Eventually, _I_ will try to login to WordPress, using my correct password. I will be informed of the need to reset my password. Let’s assume I’m able to reset the password and get logged in to WordPress ok. Cool.

    Here’s my question: what happens if the hacker continues to attempt to login to WordPress using my login id and incorrect passwords? I can see the hacker effectively blocking me from logging in to WordPress because I’m repeatedly having to reset my password, due to the _hacker’s_ failed login attempts.

    Here’s another question: if a hacker attempts to login to WordPress using my id and the incorrect password, why am I eventually required to reset my password at all?

    Thanks!

    Peace…

    https://www.ads-software.com/extend/plugins/login-security-solution/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Daniel Convissor

    (@convissor)

    What happens if the hacker continues to attempt to login to WordPress using my login id and incorrect passwords? I can see the hacker effectively blocking me from logging in to WordPress because I’m repeatedly having to reset my password, due to the _hacker’s_ failed login attempts.

    Whenever you update your profile or reset your password, Login Security Solution stores your IP address to a white list. When someone successfully logs in during an attack, LSS checks the current user’s IP address. If the IP has not been part of the attack and is in the white list, you’ll be let through as a normal log in. The password reset step is used when the current IP isn’t in the white list (or matches one of the attacking addresses).

    If a hacker attempts to login to WordPress using my id and the incorrect password, why am I eventually required to reset my password at all?

    Because what if the attacker made a lucky guess? You’d have a real problem on your hands. So LSS uses the password reset process to verify the identity of people coming in from IP’s not in the white list.

    Hope this clears things up. Let me know if you have any further questions.

    Thread Starter tomdkat

    (@tomdkat)

    Sounds great! Thanks!

    Peace…

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Question about resetting passwords’ is closed to new replies.