Community Support Forums

Re: Brute force logic reports bogus error code

2011-09-15T13:57:54-05:00

Thank you, much appreciated.

Statistics: Posted by Jason Caldwell — September 15th, 2011, 1:57 pm

Re: Brute force logic reports bogus error code

2011-09-15T13:52:51-05:00

I can positively confirm that this works perfectly for me. From my understanding, WP doesn't care what the error codes are (any WP_Error object will stop the login). The user still sees the error message string. In addition, my application logic can now interpret the failure case correctly.

My thanks for including this enhancement!

Statistics: Posted by PseudoNyhm — September 15th, 2011, 1:52 pm

Re: Brute force logic reports bogus error code

2011-09-15T13:27:23-05:00

I see exactly what you mean. If you'd like to change this error code on your installation to this please, and report back to confirm this works well for you, I would be grateful.

I see no negative repercussions to this, but if you can just confirm this please, then I'll be sure this change is included in the next official release for you.

Inside: /s2member/includes/classes/brute-force.inc.php at line #93

Code:: $errors = new WP_Error ("incorrect_password" ...

Change it to this please:

Code:: $errors = new WP_Error ("s2member_brute_force_max_failed_logins" ...

Statistics: Posted by Jason Caldwell — September 15th, 2011, 1:27 pm

Brute force logic reports bogus error code

2011-09-15T11:24:26-05:00

The function stop_brute_force_logins adds a WP_Error to the login process with error code 'incorrect_password'. Although the human-readable message is reasonable (informs the user why they cannot login), the error code cannot be used by software to determine the failure.

Now that I know the behavior, I can work around this, but I would like to request changing the error code in this case to be unique (such as 's2member_brute_force'). Or, allow the error code to be filtered for this specific condition.

Details of my use-case: I'm using WordPress (with s2Member) to authenticate users from an external system. I'm really glad that s2Member's brute-force logic also protects my external system. It would be a cleaner integration if I could tell from the error code what exactly fails during login.

Statistics: Posted by PseudoNyhm — September 15th, 2011, 11:24 am