Still can't get into

Hello Daniel and Dean,
The setup is a publicly available server at a commercial host. The University has a single IP from it’s campus to the outside world. Now that I know what to look for and how to deal with it, I can handle it.

I’ve begun the process of educating our users on updating their passwords and teaching them to take their time and READ the instructions. Essentially I’m counting on user education but for those that won’t (and I know I’ll have some) I can now address the situation which makes my life much less stressful.

Thank you both.

Gregg

I just wanted to post a note that I have had the exact same problem with this plugin as described in this thread. Ie repeatedly logged out and told to reset the password, then logged out again as soon as the password is changed.

I also get an email telling me to email myself if I’m not me:

Someone just logged into your ‘xxxxxx’ account at XXXXXX. Was it you that logged in? We are asking because the site happens to be under attack at the moment.

To ensure your account is not being hijacked, you will have go through the ‘Lost your password?’ process before logging in again.

If it was NOT YOU, please do the following right away:
* Send an email to xxxxxxx letting them know it was not you who logged in.

I had to delete the plugin to get back in.

I have now switched to a different security plugin, which is a shame as yours seems like a neat plugin.

Hi Dibbit:

The scenario you’re talking about only happens if the “attacker” is coming from the same IP address as you. This can happen for a few reasons:

* You’re the “attacker” (due to testing, forgetting your password, etc)
* Your web server is behind a proxy
* You’ve got malware on your computer
* You’re on some network (university, corporate, etc) that says you and the “attacker” are coming from the same IP. The “attacker” could be some other user(s) forgetting their passwords.

The way to help figure out what’s happening is to examine the <prefix>login_security_solution_fail table.

–Dan

Hi Dan

Yes, that is exactly the scenario – I tried to login using the WordPress App on the iphone, which had an old password in it.

Just a suggestion – surely once a password has been changed and the user logged-in again you should clear that IP as being from an attacker? Otherwise everyone who forgets their password will have to delete the plugin.

I still think its a neat plugin though ??

Hi Dibbit:

I’ll try to come up with some logic that will preserve security while keeping people who shot themselves in the foot from ending up in a catch 22. (Hmm… How many more mixed metaphors can I throw in?)

–Dan

Release 0.40.0 fixes the infinite loop when the “attacking” IP address is the one the user is logging in from.