Issue with Cookie Based Brute Force Prevention

  • Resolved thisisbolo

    (@thisisbolo)


    5 years, 9 months ago

    When we use this feature Cookie Based Brute Force Prevention, it disallows customers to login or register under woocommerce/my-account

    When a user tries to register a new account, it seems like it registers them on this page but doesn’t redirect them to /my-account, even if we change the redirect url to /my-account it errors

    logging in also errors non-admin users

    Google login recaptcha also sends customers in an infinite loop of incorrect responses

    Any suggestions how this can be overcome?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, please read the following support thread. It shows you the function you can add in your theme functions.php file. This will redirect to the WooCommerce accounts page.

    Kind regards

    Thread Starter thisisbolo

    (@thisisbolo)

    Hi @mbrsolution,

    Thank you for your response. This almost worked however there’s a couple of issues we’re running into.

    1. WooCommerce customer’s can’t successfully logout. We tried inserting the following to no avail.

    add_filter( 'logout_url', 'my_logout_page', 10, 2 );

function my_logout_page( $logout_url, $redirect ) {
  	return home_url( '/my-account/?redirect_to=' . $redirect );
}

    2. When trying to access https://siteurl.com/?secret_word_here=1, it redirects you to /my-account as we’ve placed the following into child theme functions.php as per suggestion

    add_filter( 'login_url', 'my_login_page', 10, 2 );

function my_login_page( $login_url, $redirect ) {
  	return home_url( '/my-account/?redirect_to=' . $redirect );
}

    We’re using WP Rocket for caching. Could there be a plugin conflict?

    Plugin Contributor wpsolutions

    (@wpsolutions)

    Hi @thisisbolo,
    After reproducing your issue and some head-scratching I think the following workaround should fix the logout issue.
    Try adding the following into the theme’s functions.php file:

    
add_filter('woocommerce_login_redirect', 'woo_filter_login_redir', 10, 1);

function woo_filter_login_redir($url) 
{
	if (class_exists('AIO_WP_Security')) {
		global $aio_wp_security;
		if($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention') == 1){
			$bf_secret_word = $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word');
			return add_query_arg( array($bf_secret_word=>'1'), $url );
		}
	}
	return $url;

}

    The issue is that the cookie based brute force feature .htaccess directives are looking for the special cookie when the logout happens but since it is not found the user is blocked from performing that action.
    The above workaround will add the special query param to the redirect URL at login time and hence deposit the cookie into the browser. This will in turn allow the logout action.

    Thread Starter thisisbolo

    (@thisisbolo)

    Hi – thank you! Just reading through this and trying to understand the logic. Doesn’t this defeat the purpose to using the cookie to avoid attempts to access the WP dashboard? If on logout, the cookie is placed for any user that logs in / out, doesn’t that mean they can them attempt to login to the dashboard there after?

    Do I still include 

    add_filter( 'login_url', 'my_login_page', 10, 2 );

function my_login_page( $login_url, $redirect ) {
  	return home_url( '/my-account/?redirect_to=' . $redirect );
}

    along with 

    add_filter('woocommerce_login_redirect', 'woo_filter_login_redir', 10, 1);

function woo_filter_login_redir($url) 
{
	if (class_exists('AIO_WP_Security')) {
		global $aio_wp_security;
		if($aio_wp_security->configs->get_value('aiowps_enable_brute_force_attack_prevention') == 1){
			$bf_secret_word = $aio_wp_security->configs->get_value('aiowps_brute_force_secret_word');
			return add_query_arg( array($bf_secret_word=>'1'), $url );
		}
	}
	return $url;

}
    Plugin Contributor wpsolutions

    (@wpsolutions)

    Hi @thisisbolo,
    My suggestion is mainly for you to workaround your current issue.

    Now the problem as far as the cookie based brute feature and woocommerce goes is that the woocommerce plugin does a redirect at logout time using the core wp_logout_url() function. This means that the wp-login.php page is essentially being used to achieve a logout.
    But the issue is that the cookie brute force feature is designed to only allow access to the wp-login page if the visitor has the secret cookie.
    If you don’t deposit this cookie on your logged in woocommerce users, they won’t be able to logout because of the .htaccess rules which check for this.
    Hence you can probably see the dilemma.

    Thread Starter thisisbolo

    (@thisisbolo)

    Hi @wpsolutions,

    Thanks for your active responses. I appreciate you taking the time to respond to my comments.

    I understand. I’m officially stumped. What do you suggest is the best approach for security login when using your plugin?

    I currently use the ‘Rename Login Page’ however I was looking for a more secure way as an Admin user can use the WooCommerce login forms to login and have access to the WordPress dashboard.

    For some reason, I have a bot(s) consistently hitting these login forms with existing usernames and I want to avoid any success of login to then access the WP dashboard.

    I’m hesitant to use whitelisting as there’s instances where I login to the WP dashboard while on travel.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Issue with Cookie Based Brute Force Prevention’ is closed to new replies.