Reveal valid users in login errors

  • Resolved Marco Milesi

    (@milmor)


    4 years, 3 months ago

    Hi,
    we’re using LDAP plugin with WordFence.

    In some cases (as WordPress default), some information is exposed to final users (for example, valid usernames during login).

    WordFence has a function to “Don’t let WordPress reveal valid users in login errors”.
    However, due to login error codes generated by the LDAP plugin, this function is not triggered.

    wpldaplogin.php

$error = new WP_Error();
$error->add('LDAP_USER_BIND_ERROR', __('<strong>ERROR</strong>: The password you entered for the username <b>'.$username.'</b> is incorrect.'));
return $error;

    This works using:
    $error->add('incorrect_password', ... )

    Do you plan to support WordFence or have plan to expose less data to potential attackers?

    Kind Regards,
    Marco

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author miniOrange

    (@cyberlord92)

    Hello Marco,

    Do you plan to support WordFence or have plan to expose less data to potential attackers?

    Yes, We are fixing the above error message in our next release of the plugin and It will be compatible with WordFence. You can update the plugin to the new version.

    Thread Starter Marco Milesi

    (@milmor)

    Hi @cyberlord92 and thank you!

    I also noticed that WordFence bruteforce protection doesn’t work due to different error strings. I was able to get it working with the change of error string to

    $error->add('authentication_failed', ...

    Plugin Author miniOrange

    (@cyberlord92)

    Hello Marco,

    We have released the 3.5.92 version of the plugin which includes error message fix.
    Can you please update the LDAP plugin to the latest version and let us know if you are still having conflicts in error messages with WordFence?

    Looking forward to your response.

    Plugin Author miniOrange

    (@cyberlord92)

    Hello Marco,

    We haven’t received any response from you. We are considering that you are on the latest version of the plugin and the error message is fixed for you.
    If you still found any issues then you can reach out to us using support form provided in our LDAP/AD plugin.
    We are marking the issue has resolved.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Reveal valid users in login errors’ is closed to new replies.