Password check triggers suspicious login attempt email

  • Resolved kenrichman

    (@kenrichman)


    3 years, 6 months ago

    I have a password field on a form. This is a security measure to ensure that it is the real user completing the form and not someone else who has come across a logged-in account.

    In my plugin which processes the form, I make this call:
    $user = apply_filters('authenticate', null, sanitize_user ( $current_user->user_login ), $password );

    Even though the user is logged in, they will receive a ‘login verification required’ email and furthermore the authentication test fails.
    If I disable WordFence, all works fine.
    It looks like youi are confusing a password verification test with a real login attempt. The user is logged in so you should be able to tell the difference.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @kenrichman and thanks for reaching out to us!

    Is this on just one specific page or is this password field on multiple pages?

    Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    Which plugin are you using for the form as well? The diagnostic will give me your URL so I can test this.

    Thanks again!

    Thread Starter kenrichman

    (@kenrichman)

    The plugin (WPdirectdebit) is still in development so you won’t find a copy. I have posted the line of code. I will send you the diagnostics report as requested.
    You’ll need to have an account and be logged in to test this even with the URL.

    Thread Starter kenrichman

    (@kenrichman)

    Diagnostics email has been sent

    Plugin Support WFAdam

    (@wfadam)

    Thanks for sending that over!

    I believe the “login verification required” email is from using the captcha on the login form.

    Since it’s custom code, you can use the filter described here to skip the captcha only when your custom code runs:
    https://www.wordfence.com/help/login-security/#customizing-captcha-behavior-with-wordpress-filters

    This should correct the issue! Thanks again!

    Thread Starter kenrichman

    (@kenrichman)

    Hi Adam

    I added the filter and you are correct this is the cause of the problem, however I am not keen on your solution, which is for me to add something to my plugin to get around a problem with yours. There is no need to run a captcha when the user is not logging in, it’s simply a password verification.

    Plugin Support WFAdam

    (@wfadam)

    If this works, it’s the reason we included this filter in the plugin. Other plugins that provide authentication features may log the user in during that hook, so if we were to use another hook instead, it could miss authentication attempts that should be blocked by the captcha.

    You can use that hook in your plugin. I’d also suggest including a comment near it that explains why it’s there.

    Thanks again!

    Thread Starter kenrichman

    (@kenrichman)

    I don’t think you should assume every call to the authenticate filter is in the context of a form and needs to call the captcha routine. The way I see it, you are protecting some plugins at the expense of breaking others. But what would fix it would be a separate function that authenticates a password/username without any attempt to login. Do you know of such?

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Password check triggers suspicious login attempt email’ is closed to new replies.