Daniel Convissor

That’s a server configuration issue, outside the scope of WordPress and this plugin.

That code scanner needs fixing. The plugin supports both the mysqli and mysql extensions, so works with PHP 7.

No. That setting is a fully qualified path (per the / at the start of the path).

Closing for lack of feedback.

Shouldn’t be a loop. Should just have to reset the password once and then their IP address is remembered.

Only way to clear the flag is to delete the metadata in the database.

I intermittently get reports of people not getting the emails. Not sure why that happens. Guesses of some possible reasons:
* lands in spam bin
* blocked by ISP
* wrong email address in wordpress
* web server’s email capabilities disabled or misconfigured
* some plugin blocks the email

Thanks for registering your thoughts.

I intermittently get reports of people not getting the emails. Not sure why that happens. Guesses of some possible reasons:
* lands in spam bin
* blocked by ISP
* wrong email address in wordpress
* web server’s email capabilities disabled or misconfigured
* some plugin blocks the email

See the “Installation” section/tab in the readme.txt file or the plugin’s page on www.ads-software.com.

I just released 0.55.0, which has a new feature that blocks probing for user names via the “author” query string (eg ?author=1).

Took a quick look at JetPack. Seems modules/protect.php is the place. Appears they only check IP address. That’s not sufficient. Over the past couple months, I’ve noticed that attackers have so many bots at their disposal that they use a different IP address for nearly every request.

Real world example… One of my sites got 126 failed login attempts yesterday from 112 different IP addresses. These addresses aren’t even in the same IP range. This particular attacker’s control server picks three likely user names and one password then tells three bots to try one combination. Then it picks another password and has three _other_ bots try those combinations. Rinse and repeat. LSS stopped them. I haven’t seen another plugin that does that.

Hi Folks:

Sorry for taking so long to reply to this. I just took a very quick look at the BuddyPress code base. If you want to dig in to what’s happening, maybe add some logging in these functions:

xprofile_sync_bp_profile() in bp-xprofile/bp-xprofile-functions.php

xprofile_set_field_data() in bp-xprofile/bp-xprofile-functions.php

You can also activate my plugin’s logging by uncommenting log() calls by removing “###” in front of them, then monitoring /var/log/login-security-solution.log as you create a new user.

Keep me posted.

Hmm. Will look into this at some point.

While Login Security Solution has a mechanism to indicate a password must be reset, the actual process of doing the reset is via WordPress core.

Chances are there’s some user error going on here. Perhaps putting in the wrong user name or getting the link from an old password reset email. I don’t know.

Thanks for the suggestion.