Serious security issue (“WP Security Scan” plugin with “Login LockDown” plugin)

To be fair, it seems this problem only happens sometimes… I dont know why.

But I did managed to log in multiple times, when I shouldnt be able to. And when I see the Login LockDown options panel I can see this:

Currently Locked Out

**.***.**.** (3 minutes left)

**.***.**.** (4 minutes left)

—-

**.***.**.** is my IP address… the same in both cases.

I think the wp-security scan folks would be interested in this. Have you contacted them?

I have seen other threads indicating that WP Security scan does not always play well with other plugins that interact with the login process, although to be honest I have no idea why. I went through his code and did not see where it interacted with the login at all. Someone else reported this issue to me as well.

I did notice that the current version of his plugin is supposedly only compatible up to WP 2.8, and both you and the other person who reported it causing issues with Login LockDown were using 2.8.4 (as you and everyone else should be, due to security holes in earlier versions), but again no idea if that is what the issue is. Also, for some strange reason the author of WP Security Scan has it flagged as being in beta in his readme file (although not indicated as such anywhere else), so I would take caution in using it in a live environment anyways.

I will try and do some testing on it soon and see if I can replicate the problem.

I just updated Login LockDown. One of the things I fixed was an issue where locking out even on invalid usernames was not functioning as intended.

TheEconomist, since you described the issue you were having as being somewhat random, it may be that it did not actually have anything to do with WP Security Scan. Can you please upgrade to Login LockDown 1.5 and let me know if you are able to replicate the issue still?

Thanks.

Hello, mvandemar!

I re-installed WP, just as I did last time (with the difference that this time during the installation I changed MySQL database tables names to something other than “wp_”)

I installed “Login LockDown 1.5” as you advised. Then I added “WP Security Scan” plugin.

This time there is no problem. If I lock out my IP, I can NOT log in.

I DONT KNOW what went wrong last time, but since you mentioned that in the new “Login LockDown 1.5” you fixed an issue where locking out even on invalid usernames was not functioning as intended, there is possiblility that that was the cause of problems…. because I indeed was using function “Lockout Invalid Usernames” last time.

Whatever the cause, thanks for updating Login LockDown.

Cheers

TheEconomist – great! I am glad it is working for you now. This must mean that it was the bug you were encountering before then, and not an issue with wp-security-scan.

If you get a chance, could you please go ahead and mark this thread as resolved please? Thanks! ??

-Michael