ageibert

could you extend the plugin with a “limit” for each carousel? something like:
“show only 5 posts from the category xy”

best regards

wow! thank you so much. seems to fit perfect for my needs ??
great plugin!!

Hi amereservant,
thanks for the info and: i do know this.

but: you should never, i mean never, edit plugin or worpdress core files by your own.
every future update destroys your changes. and every future update of, in this case, woocommerce, could destroy your whole site, because your changes aren’t update proof.

it would be so nice if the author of the plugin would answer to this feature request, but as far as i can see, he doesn’t really participate in this support forum.

maybe it’s better to use woocommerce’s own plugin for bulk discounts. then you are update proof and get support.

Perfect! Thanks dwinden for all the infos. ??

yes, that’s the point. i’d like to be informed about every single bad login.
this seems not possible now in iThemesSec so i wanted to report this as a feature request.

If this feature will never be implemented in iThemesSec, i really have to use another additional plugin like the one suggested by you.

So: Is this a feature request which may be implemented in iThemesSecurity or will this never happen, because it’s better made by another plugin?

i fully agree ??

this is everything but trustworthy ;(

i checked this again and all i get if the username does not exist is this mail:

####
Dear Site Admin,

A host, 210.xxx.xxx.xxx, has been locked out of the WordPress site at https://nanolive.ch due to too many bad login attempts.

The host has been locked out permanently .

*This email was generated automatically by iThemes Security. To change your email preferences please visit the plugin settings.
####

only saying, that “a host” is locked out. but no word about the username that was tried.
do you really get a mail with the (non existing) username in it?

additionally this only happens after the “Max Login Attempts Per Host”. i and others would prefer every bad login attempt to be logged.

hi dwinden,
yes, this exactly the mail i’m talking about. (btw: before iThemes security switched from a public github repo to private, i contributed to exactly this mail sending mechanism/the wording in the mail ?? )

but this mail is only sent, if the username which was tried, already exists in the system.
i’d really need info about all hacking attempts regardless of an existing username.

this could be two options
– always send mails if a wrong username was tried too many times
– write to a log file if a username was tried too many times

best regards

The complete opposite to wordpress’ point of view (ship with security holes, let users deal with it), seems to be the new drupal 8:

https://www.drupal.org/drupal8-security-bounty

there the “User enumeration” is clearly on the list. A huge list and the involvement of the community.
That’s how it should be …

@dwinden,
i must add this one to this topic:

today i received the answer to my email to wordpress.com. please sit down before reading:

“
WordPress does not consider usernames to be secret, and as you’ve pointed out, actively uses them in URL slugs such as /author/realusername. For this reason we do not consider username enumeration via /?author=1, /?author=2, etc to be a security vulnerability. If you would like to change this behaviour, plugins are available in the repository to block such requests.
“

it’s unbelievable. wordpress is responsible for about 60% of all open CMS in the world.
and they are shipping security holes with the intention to be fixed by third party plugins (which themselves could lead to other security holes).

i’m speechless….

i wrote an email to the wp security team. because this issue appears to be present and known since years, like you i don’t think that they will change anything.
but i wanted to give them a chance to respond and fix this issue before i’ll spread it in the net and call attention to it by all wordpress users who don’t know about it.

surely plugins can be used for this. but i can’t believe wordpress is shipping with security holes and propagating the use of plugins to fix them.

each plugin itself could be a security risk, each plugin makes the site slower and harder to maintain. each plugin could have side effects.

i see we both agree with each other, but i have to try getting this one fixed at least ??

hi dwinden,
thanks for the info.
and that’s great news, that iTSec is fixing the wordpress security hole in this case and nearly a perfect solution.

however: i’ll try to contact wordpress. i can’t believe they leave such a great security risk open to hackers for easy username gathering.

best regards,
andreas

… or maybe this could be the new feature added to iThemes Security? ??

the user_nicename must be regenerated every time the nickname changes. but wp is missing this.
i’ll write a plugin and report the issue

i checked the database and the problem seems to be, that the urls /author/username are generated through the field value of the wp_users table field “user_nicename”!!!
and this is wrong, because you can’t change the user_nicename filed, only the display_name field.

so it’s a wordpress problem!