Topic: Login Security feature request, Login Security Recommendations

Login Security feature request, Login Security Recommendations

Tagged: feature request, Login Security, recommendation

This topic has 22 replies, 3 voices, and was last updated 10 years, 6 months ago by AITpro Admin.

Viewing 15 posts - 1 through 15 (of 23 total)

1 2 →

Author

Posts
May 6, 2013 at 3:06 pm #5429
Young Master
Participant

Does login security lockout for invalid usernames? if not then I would like to recommend this feature to be added inorder to increase login security also I would like to recommend add this feature of not letting WordPress reveal valid users in login errors.
May 6, 2013 at 3:50 pm #5430
AITpro Admin
Keymaster

The way Login Security works is a valid username is checked against the password used for that User Account. If a User Account does not exist then there is nothing to lock out and that User Account could never be used to log in with. It is recommended that you ALWAYS create an obscure username/User Account and choose to NEVER display that username publicly. By doing that the hacker would not be able to guess what your username is.

Thank you for offering suggestions and ideas to improve BPS Pro.
May 7, 2013 at 5:22 am #5441
Young Master
Participant

What is an obsecure username/user account. And where is that choice of never to display that username in the public found?
May 7, 2013 at 7:55 am #5444
AITpro Admin
Keymaster

We will be adding your idea about not displaying the User Account name. This will be an additional option on the Login Security page that folks can choose to set or not set. Thanks for this good idea. The usernames that we create for the various AITpro.com sites follow this format: f for forum, m for mainsite, b for blog. After using the initial first letter the rest of the username format is random. Examples: brt45x3jg387p, m4gh290hb2v To not display a username publicly for a standard WordPress website you would go to the user profile for that user account. Nickname (required) – create a nickname that you want to display publicly that is different than your actual username for that User Account. Display name publicly as – choose your nickname and NOT your actual username for that User Account
May 7, 2013 at 8:26 am #5446
Young Master
Participant

Thats not what I meant when I say not letting WordPress reveal valid users in login errors. Let me explain this to you. For example my login username for my wordpress site is jimmy. When I try to login into my site and accidentally I entered incorrect password the wordpress the wordpress is going to display a message saying that “The password you entered for the username jimmy is incorrect. Lost your password By doing that wordpress has already revealed that the username jimmy exist on that site. So I recommend you add this feature so that wordpress wont reaveal usernames when some tries to check if that username exist on that website. Instead of wordpress displaying the above message when someone entered an incorect password, I would like to recommend this message “The username or password you entered is incorrect. Lost your password
May 7, 2013 at 8:49 am #5448
AITpro Admin
Keymaster

The only way “jimmy” would be displayed is if “jimmy” was typed into the username form field. What WordPress checks is what you have entered as the username. What this means is that you already have to know the username and enter it. If you enter a username that does not exist then WordPress displays a message that the username you entered is not valid.

Your idea is good to not to display the username at all in error messages. This is a very simple thing to do and will be added as an additional option that folks can choose or not. Choose to display username in login errors or not to display usernames in login errors. Thank you for this good suggestion/idea.
May 7, 2013 at 8:56 am #5449
Young Master
Participant

Thank you for your understanding.
May 8, 2013 at 2:47 pm #5494
J Garner
Participant

I think it would also be good to check that username and nickname are not identical and display a warning (that can be dismissed) if they are the same suggesting that they be different for better security.

It is not good practice that WordPress broadcasts something that by default gives away the admin name, ie without manually changing the nickname the URLs of posts can give away admin usernames…
May 8, 2013 at 3:07 pm #5497
AITpro Admin
Keymaster

Yep, this was planned to be added, but we are not sure where it should go yet. ~~I guess directly on the Login Security & Monitoring page, but then~~ the question is should an Admin Notice be created? ie “BPS Alert! Username X is displayed publicly. You should do X to fix this.”

Scratch that was having a special moment. Of course linking to where to fix this would be the best idea and not try and take over or do something that already exists in WordPress. So the question is do we treat this as a BPS Alert or not?

“BPS Alert! Username X is displayed publicly. Click Here and do X to fix this.”
May 10, 2013 at 5:31 pm #5534
J Garner
Participant

Yes I was going to say maybe add

“Your admin username and your nickname are currently the same for username X. WordPress displays your nickname publicly so it is highly recommended to change the nickname from X to something else. Click here to fix it.”

but I guess that is what you expect to write in the “do X to fix this” sentence…
May 12, 2013 at 1:24 pm #5572
Young Master
Participant
I have got more recommendations for BPS Pro Login Security feature. Instead of a user to manually enter minutes he/she would like to lockout users when they reach maximum password attempts, I would like to recommend that you put a list of time so the that the user can choose the amount of time he/she would like lockout his/her users because some people like me would like to lockout people for one day or more until I manually unlock them. I think the lockout time drop down select list should look like the following:
- 30 Minutes
- 1 Hour
- 2 Hours
- 6 Hours
- 12 Hours
- 1 Day
- 2 Days
- 5 Days
- 10 Days
- 20 Days
- 30 Days
- 60 Days
May 12, 2013 at 1:49 pm #5575
AITpro Admin
Keymaster

Currently there are no limitations on what someone can enter for the amount of time they want to enter. Doing something like this would limit what people can enter. Example: What if someone wants 45 minutes, 8 hours or 1 year?

Type in 45 for 45 minutes
60 times 8 hours = 480 minutes/8 hours
60 times 24 hours = 1440 minutes/1 day
1440 times 7 days = 10080 minutes/1 week
10080 times 52 weeks = 524160 minutes/1 year
524160 times 20 years = 10483200 minutes/20 years
May 12, 2013 at 2:03 pm #5576
Young Master
Participant

oh!!! I suggested that because BPS Pro 5.8 was giving me network time out error when I tried to change minutes to one day. But now it works fine.
May 12, 2013 at 2:14 pm #5577
AITpro Admin
Keymaster

Most likely you were having intermittent Server/MySQL Server problems at the time since logging into your website is making a connection to your WordPress database and BPS Pro does not have the capability to cause a network time out error. That would be a Server issue.

BPS Pro Login Security is hooking into the standard WordPress authentication process/database connection process, counting login attempts and will lock out the user account based on the conditions/options that you set. The BPS Pro Login Security Database Table is a separate DB Table from the WordPress users table.
May 14, 2013 at 5:36 pm #5665
AITpro Admin
Keymaster

BPS Pro 5.8.2 has been released and has 2 new Login Security options: Error Messages Option and Password Reset Option
http://forum.ait-pro.com/forums/topic/login-security-login-monitoring-read-me-first/
Author

Posts

Viewing 15 posts - 1 through 15 (of 23 total)

1 2 →

You must be logged in to reply to this topic.

BulletProof Security Forum

Login Security feature request, Login Security Recommendations

Search Forums

Topic Tags