Community Support Forums

The function stop_brute_force_logins adds a WP_Error to the login process with error code 'incorrect_password'. Although the human-readable message is reasonable (informs the user why they cannot login), the error code cannot be used by software to determine the failure.

Now that I know the behavior, I can work around this, but I would like to request changing the error code in this case to be unique (such as 's2member_brute_force'). Or, allow the error code to be filtered for this specific condition.

Details of my use-case: I'm using WordPress (with s2Member) to authenticate users from an external system. I'm really glad that s2Member's brute-force logic also protects my external system. It would be a cleaner integration if I could tell from the error code what exactly fails during login.

I see exactly what you mean. If you'd like to change this error code on your installation to this please, and report back to confirm this works well for you, I would be grateful.

I see no negative repercussions to this, but if you can just confirm this please, then I'll be sure this change is included in the next official release for you.

Inside: /s2member/includes/classes/brute-force.inc.php at line #93

Code: Select all

$errors = new WP_Error ("incorrect_password" ...

Change it to this please:

Code: Select all

$errors = new WP_Error ("s2member_brute_force_max_failed_logins" ...

I can positively confirm that this works perfectly for me. From my understanding, WP doesn't care what the error codes are (any WP_Error object will stop the login). The user still sees the error message string. In addition, my application logic can now interpret the failure case correctly.

My thanks for including this enhancement!

Thank you, much appreciated.