Version Description
This version fixes a security bug in version 1.6.2 and 1.7.0. Please upgrade immediately.
"Auth cookies" are special cookies set at login that authenticating you to the system. It is how WordPress "remembers" that you are logged in between page loads.
During lockout these are supposed to be cleared, but a change in 1.6.2 broke this. It allowed an attacker to keep trying to break these cookies during a lockout.
Lockout of normal password login attempts still worked as it should, and it appears that all "auth cookie" attempts would keep getting logged.
In theory the "auth cookie" is quite resistant to brute force attack. It contains a cryptographic hash of the user password, and the difficulty to break it is not based on the password strength but instead on the cryptographic operations used and the length of the hash value. In theory it should take many many years to break this hash. As theory and practice does not always agree it is still a good idea to have working lockouts of any such attempts.
Release Info
Developer | johanee |
Plugin | Limit Login Attempts |
Version | 1.7.1 |
Comparing to | |
See all releases |
Code changes from version 1.7.0 to 1.7.1
- limit-login-attempts.php +4 -4
- readme.txt +17 -1
@@ -6,7 +6,7 @@
|
|
6 |
Author: Johan Eenfeldt
|
7 |
Author URI: http://devel.kostdoktorn.se
|
8 |
Text Domain: limit-login-attempts
|
9 |
-
Version: 1.7.
|
10 |
|
11 |
Copyright 2008 - 2012 Johan Eenfeldt
|
12 |
|
@@ -85,7 +85,7 @@ $limit_login_nonempty_credentials = false; /* user and pwd nonempty */
|
|
85 |
* Startup
|
86 |
*/
|
87 |
|
88 |
-
add_action('
|
89 |
|
90 |
|
91 |
/*
|
@@ -102,7 +102,7 @@ function limit_login_setup() {
|
|
102 |
/* Filters and actions */
|
103 |
add_action('wp_login_failed', 'limit_login_failed');
|
104 |
if (limit_login_option('cookies')) {
|
105 |
-
|
106 |
add_action('auth_cookie_bad_username', 'limit_login_failed_cookie');
|
107 |
|
108 |
global $wp_version;
|
@@ -239,7 +239,7 @@ function limit_login_failure_shake($error_codes) {
|
|
239 |
|
240 |
|
241 |
/*
|
242 |
-
*
|
243 |
* auth cookies while locked out.
|
244 |
*/
|
245 |
function limit_login_handle_cookies() {
|
6 |
Author: Johan Eenfeldt
|
7 |
Author URI: http://devel.kostdoktorn.se
|
8 |
Text Domain: limit-login-attempts
|
9 |
+
Version: 1.7.1
|
10 |
|
11 |
Copyright 2008 - 2012 Johan Eenfeldt
|
12 |
|
85 |
* Startup
|
86 |
*/
|
87 |
|
88 |
+
add_action('plugins_loaded', 'limit_login_setup', 99999);
|
89 |
|
90 |
|
91 |
/*
|
102 |
/* Filters and actions */
|
103 |
add_action('wp_login_failed', 'limit_login_failed');
|
104 |
if (limit_login_option('cookies')) {
|
105 |
+
limit_login_handle_cookies();
|
106 |
add_action('auth_cookie_bad_username', 'limit_login_failed_cookie');
|
107 |
|
108 |
global $wp_version;
|
239 |
|
240 |
|
241 |
/*
|
242 |
+
* Must be called in plugin_loaded (really early) to make sure we do not allow
|
243 |
* auth cookies while locked out.
|
244 |
*/
|
245 |
function limit_login_handle_cookies() {
|
@@ -3,7 +3,7 @@ Contributors: johanee
|
|
3 |
Tags: login, security, authentication
|
4 |
Requires at least: 2.8
|
5 |
Tested up to: 3.3.2
|
6 |
-
Stable tag: 1.7.
|
7 |
|
8 |
Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.
|
9 |
|
@@ -84,6 +84,17 @@ If you have access to the database (for example through phpMyAdmin) you can clea
|
|
84 |
|
85 |
== Changelog ==
|
86 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
87 |
= 1.7.0 =
|
88 |
* Added filter that allows whitelisting IP. Please use with care!!
|
89 |
* Update to Spanish translation, thanks to Marcelo Pedra
|
@@ -168,3 +179,8 @@ If you have access to the database (for example through phpMyAdmin) you can clea
|
|
168 |
|
169 |
= 1.0 =
|
170 |
* Initial version
|
|
|
|
|
|
|
|
|
|
3 |
Tags: login, security, authentication
|
4 |
Requires at least: 2.8
|
5 |
Tested up to: 3.3.2
|
6 |
+
Stable tag: 1.7.1
|
7 |
|
8 |
Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.
|
9 |
|
84 |
|
85 |
== Changelog ==
|
86 |
|
87 |
+
= 1.7.1 =
|
88 |
+
This version fixes a security bug in version 1.6.2 and 1.7.0. Please upgrade immediately.
|
89 |
+
|
90 |
+
"Auth cookies" are special cookies set at login that authenticating you to the system. It is how WordPress "remembers" that you are logged in between page loads.
|
91 |
+
|
92 |
+
During lockout these are supposed to be cleared, but a change in 1.6.2 broke this. It allowed an attacker to keep trying to break these cookies during a lockout.
|
93 |
+
|
94 |
+
Lockout of normal password login attempts still worked as it should, and it appears that all "auth cookie" attempts would keep getting logged.
|
95 |
+
|
96 |
+
In theory the "auth cookie" is quite resistant to brute force attack. It contains a cryptographic hash of the user password, and the difficulty to break it is not based on the password strength but instead on the cryptographic operations used and the length of the hash value. In theory it should take many many years to break this hash. As theory and practice does not always agree it is still a good idea to have working lockouts of any such attempts.
|
97 |
+
|
98 |
= 1.7.0 =
|
99 |
* Added filter that allows whitelisting IP. Please use with care!!
|
100 |
* Update to Spanish translation, thanks to Marcelo Pedra
|
179 |
|
180 |
= 1.0 =
|
181 |
* Initial version
|
182 |
+
|
183 |
+
== Upgrade Notice ==
|
184 |
+
|
185 |
+
= 1.7.1 =
|
186 |
+
Users of version 1.6.2 and 1.7.0 should upgrade immediately. There was a problem with "auth cookie" lockout enforcement. Lockout of normal password login attempts still worked as it should. Please see plugin Changelog for more information.
|