[URGENT] Can't log in

Same thing…

I have been getting brute force login attempts at inMotion. So I installed this. Enabled two factor authentication. I get the email at my gmx.com account (forwarded from the host account by a forwarder) and just get into an endless loop.

I have to FTP in and rename the simple security directory to get back into the WP admin.

The plugin should afford this (I am a coder):

1. A list of IP addresses it will let pass.
That would cause issue of course in respect to people mobility access to the backend. So:

2. Something along the lines of if coming in from an IP not in said list as an administrator account using javascript with an event attached to the submit button have it open a new textbox where a static passphrase or word as a secondary security is entered.

I was gonna just give it a bad review but the plugin looks pretty promising.

Oh, and for others… Slapping a sleep(10) or sleep(15); into your wp-login.php or wp-admin/index.php right at the start of the file will apparently deter both bot-net’s and most brute force attacks.

This ALSO might be a good idea for your plugin

I could hack something up… But that’s a quick and easy to put in your firewall.

Allow for that login delay to be set and to give the user a bit of feedback just slap a little CSS Modal up saying something along the lines of “authenticating” with a progressbar that is basically just a sham animation or something. Be interesting as well to allow that message “authenticating” to be configurable. So one might put in something along the lines of:

“Checking IP address against Federal Hacker Database & logging” or some such jibe. Might scare off the creeps. ??

This plugin has an IP white list option… it’s under Dashboard.

The problem you describe appears to be different to the OP’s problem. Can you explain exactly what behaviour you’re seeing with the two-factor authentication? I’d like to know more to dig in.

I’m not sure I understand your Javascript dialogue idea. Brute force isn’t done via a web browser, it’s done by a bot that doesn’t care for your Javascript. This is where the GASP javascript login box works well.

Also, the plugin has a login cooldown feature and if you login during that cooldown period, the user is given the notice of how long they must wait.

Thanks for not leaving a bad review… I much prefer having a discussion with users to get to the bottom of the problem. If you review the forums, you’ll see that this is usually the final result in the vast majority of cases.

Thanks!

Hi,

Yep, see the cooldown message, Everytime I get the email and click the link within I am brought back to the login screen. If I try re-enter I just get bounced back out or mod_security kicked on.

This plugin can’t work around mod_security… I’m not sure you’d even want that.