With security enabled, all non-admin logins are rejected

  • Resolved bseddon

    (@bseddon)


    1 year, 5 months ago

    My experience has been that when security is enabled, all non-admin logins appear to be rejected and are given a time before they will be admitted. However refresh and confirm you want to re-apply the login content it works. Useful idea but on my site doesn’t appear to work correctly.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Bowo

    (@qriouslad)

    @bseddon thank you for reporting. Are you referring to the Change Login URL module, or the Password Protection module?

    Thread Starter bseddon

    (@bseddon)

    Thanks for your response. As an image speaks a thousand words…

    Is it likely to be because the site delegate sign in authentication to another server using the ‘authenticate’ filter? I can see in bootstrap the authenticate filter uses the ‘maybe_allow_login’ function of the security class.

    What I can’t see in there is any test that the user is already signed in by a previous execution of an authenticate filter with a lower priority.

    If so, how is the function detecting a previous successful authentication?

    Plugin Author Bowo

    (@qriouslad)

    @bseddon oh, the Limit Login Attempts module. No other server is involved. I’ll have to investigate further as I find the time for it. Thanks again for reporting and kindly wait for further response from me.

    Plugin Author Bowo

    (@qriouslad)

    @bseddon I’ve just had the time to quickly test this on a fresh WP install and was not able to replicate the issue you reported.

    I created a non-administrator account (editor), enabled Limit Login Attempts module, log out and then was able to login using the non-administrator account just fine. You can try this out yourself with an instant site created at InstaWP or TasteWP.

    Thread Starter bseddon

    (@bseddon)

    I think you are missing something. Your test environment does not delegate authentication to another service.

    We also use the ‘authenticate’ filter but to delegate the authentication to another service. That is, in our case WordPress is *not* used for authentication as this is delegated to another system.

    It appears that your plugin is using the ‘authenticate’ filter in which to test whether the user has reached the threshold of attempts to sign in.

    Our use of the ‘authenticate’ filter precedes your use of the filter. The result of this is that our user is authenticated by the time your filter runs but you do not check in your use of the ‘authenticate’ to see if the user is already signed in.

    This has the effect of saying ‘we can use the authenticate filter but no one else is able to use it’.

    Hope that helps. Will it be helpful for me to reproduce this behavior in a test WP environment so you can experience the behavior and have full machine access?

    Plugin Author Bowo

    (@qriouslad)

    @bseddon I see what you mean. I did not understand what you said with “another server”. I thought you meant the plugin is doing that, which it does not. Your use case is not a common one, and the plugin is not built to accommodate edge cases like that. I’m not sure I’m going to make any change to accommodate that. I hope this is something you can understand.

    On the flip side, were you able to use another plugin that works with your authentication scenario?

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘With security enabled, all non-admin logins are rejected’ is closed to new replies.

Tags