mrtugge

Ah I missed that was not allowed, it seemed like the only option left to investigate this bug any further. Then we reached a dead end.

@talextech Thanks for the response. I understand you can’t look into it any further if you can’t reproduce the bug. If I get any more info I will let you know.

Hi!

Thanks for the reply. I think I can do better then that, I created a temporary test installation on a sub domain and stripped it from other themes/plugins.

I can create an account for you so you can log in and see the bug yourself and also check the plugin settings etc. I would assume this would be more helpful to you.

Do you have an email address where I can send the URL/login credentials to? I rather not post this on a public forum to prevent others messing up the test installation.

Thanks for looking into this! I tried to debug this some more and went into a rabbit hole. Please see my findings below. Note I made some assumptions here so please check if they are correct. At the moment I’m quite stuck so I wanted to check if any of this is helpful to you.

Disabling plugins/new install
I tried disabling all plugins (execpt Login Lockdown), the issue still persisted. This is on WordPress 6.5.5, Login lockdown version 2.10. Then I tried a clean install on a new subdomain (WordPress version 6.5.5) and only installed Login Lockdown (v2.10), which worked without problems (captcha required, etc.).

Install in older/updated project
Since both the WordPress version and plugins are the same I assume the issue is the other websites already existed for quite a while and there is a corruption somewhere in the updates. I tried updating an older, unused, local project and adding the newest version of Login Lockdown (it did not have this plugin before). This project also had the bug, I was able to log in without filling in the captcha. Please note this happens for ‘live’ sites as well as local development sites, so it does not seem server specific.

New installation of old WordPress, updated to newest version
Next I created a new subdomain with a clean install of WordPress 5.5. Then I updated this version to WordPress 6.5 and added Login Lockdown (v2.10). On this installation the Login Lockdown did work as expected.

Code
I tried looking at the plugin code real quick, if I misunderstood it please ignore the following. Maybe it helps to pinpoint the issue. This was tested on a local environment where the Captcha was not working/ignored:

The complete captcha check in wp_authenticate_username_password is skipped. When I put a die() in the if (is_a($user, ‘WP_User’)){} in wp_authenticate_username_password function in \libs\functions.php I run into the die when I input a correct username/password combination. If i fill in a wrong username/password combination i reach self::handle_captcha() function further down in the function. So only filling in the correct username/password is enough reach the early exit.

So….
Old, existing projects, which are now all up to date have the issue. New installations, even newly installed older versions of WordPress, which are then updated to newest version do not have the issue. All of these have the same WordPress version (v6.5.5) and same version of Login Lockdown (v2.10).

I know its a long list, but since I was not able to pinpoint the issue yet and you know the plugin a lot better I didn’t want to make assumptions/leave anything out that might be helpful ??

If you have any questions or tests for me please let me know.