With ‘Trusona only’, how are users still locked out from signing in?

  • Resolved Babak Fakhamzadeh

    (@mastababa)


    1 year, 9 months ago

    I’m running Trusona in ‘Trusona only’ mode. Yet, WordPress still sends me messages saying that users have”been locked out from signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures…”

    I would think that, with ‘Trusona only’ it would no longer be possible to try to login in any other way. Or?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support msharma266

    (@msharma266)

    Hi Babak,

    Thanks for using Trusona.

    Actually, the “Trusona Only” mode hides and takes away the password login form from the user experience. But it cannot prevent hackers from automating the WordPress login flow and triggering failed login attempts, especially if the users’ usernames are common or the WordPress defaults.

    Hope this helps explain your observation.

    Thread Starter Babak Fakhamzadeh

    (@mastababa)

    This sounds like there is some API endpoint that these ‘hackers’ are accessing. But if Wordfence can monitor this, then Trusona could block this.

    Do you know what the endpoint in question is?

    Plugin Support msharma266

    (@msharma266)

    Hi Babak,

    We are not able to discuss specific non-Trusona API endpoints, but would like to direct you to the WP documentation for it. Thanks,

    -Manny

    Trusona Support

    Thread Starter Babak Fakhamzadeh

    (@mastababa)

    Well, what I’m asking is for Trusona to live up to its own setting called “Trusona only”. Nothing more, nothing less.

    Plugin Support msharma266

    (@msharma266)

    Hi Babak,

    Understand your frustration. “Trusona only” means that it is the only authentication method available to a user in their user experience/flow. It is not possible for us to close off all other ‘backdoors’ since we don’t own the entire platform. I hope you can understand the architectural limitations for us.

    thanks for your understanding,

    -Manny

    Trusona Support

    Thread Starter Babak Fakhamzadeh

    (@mastababa)

    I take your point that you do not own WordPress. Yet, classifying what I suspect are API-based methods for authentication as ‘backdoors’ seems unfair.

    Anyway, thanks.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘With ‘Trusona only’, how are users still locked out from signing in?’ is closed to new replies.