Membership Plugin

WordPress Membership Plugin

Failed login message leads to increased security risk

Simple Membership Plugin Forums Simple Membership Plugin Failed login message leads to increased security risk

Tagged: ,

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • April 29, 2016 at 8:31 pm #6756
    fgwebdev
    Participant

    When someone tries to login to a site using this plugin, the failure message identifies if the username was correct or not. This gives an attacker the ability to try usernames to find a valid username before trying the password. The failed login message should not identify if the username or the password failed, just that it was not a valid login. Can the plugin be updated so that the failed login message is more generalized and does not identify which part of the login was incorrect?

    Thanks.

    April 29, 2016 at 10:34 pm #6762
    mbrsolution
    Moderator

    Hi, can you share a screen capture of the error message displayed. I am just trying to find out if it this plugin or not display your message.

    Thank you

    May 2, 2016 at 1:38 pm #6799
    fgwebdev
    Participant

    Here I am putting in a fake username and password.
    username and password

    Here is what I get when I click submit.
    response

    This shows the username was incorrect.

    When I type in a correct username and a fake password, it says “Password Empty or Invalid.” This gives a brute force attacker plenty of information to use in their attack.

    May 2, 2016 at 10:43 pm #6801
    mbrsolution
    Moderator

    Hi, I tried to open those links you shared above but they timed out. I think what you are referring to can be found in the following file: simple-membershp/js/jquery.validationEngine-en.js.

    May 3, 2016 at 3:57 pm #6803
    fgwebdev
    Participant

    No, it is not in that file. The term “User Not Found.” is located in the following files. This and the error message “Password Empty or Invalid.” should be updated with a more generic login failure message so that an attacker does not know if one or both are incorrect.

    wp-content\plugins\simple-membership\classes\class.bAuth.php
    wp-content\plugins\simple-membership\classes\class.bFrontRegistration.php
    wp-content\plugins\simple-membership\classes\class.swpm-auth.php
    wp-content\plugins\simple-membership\languages\swpm-ca_ES.po
    wp-content\plugins\simple-membership\languages\swpm-da_DA.po
    wp-content\plugins\simple-membership\languages\swpm-da_DK.po
    wp-content\plugins\simple-membership\languages\swpm-de_DE.po
    wp-content\plugins\simple-membership\languages\swpm-el_GR.po
    wp-content\plugins\simple-membership\languages\swpm-el_GR.po
    wp-content\plugins\simple-membership\languages\swpm-es_ES.po
    wp-content\plugins\simple-membership\languages\swpm-fr_FR.po
    wp-content\plugins\simple-membership\languages\swpm-he_IL.po
    wp-content\plugins\simple-membership\languages\swpm-id_ID.po
    wp-content\plugins\simple-membership\languages\swpm-ja_JA.po
    wp-content\plugins\simple-membership\languages\swpm-lt_LT.po
    wp-content\plugins\simple-membership\languages\swpm-lv_LV.po
    wp-content\plugins\simple-membership\languages\swpm-lv_LV.po
    wp-content\plugins\simple-membership\languages\swpm-mk_MK.po
    wp-content\plugins\simple-membership\languages\swpm-nl_BE.po
    wp-content\plugins\simple-membership\languages\swpm-nl_NL.po
    wp-content\plugins\simple-membership\languages\swpm-pl_PL.po
    wp-content\plugins\simple-membership\languages\swpm-pt_BR.po
    wp-content\plugins\simple-membership\languages\swpm-pt_PT.po
    wp-content\plugins\simple-membership\languages\swpm-ro_RO.po
    wp-content\plugins\simple-membership\languages\swpm-ru_RU.po
    wp-content\plugins\simple-membership\languages\swpm-sr_RS.po
    wp-content\plugins\simple-membership\languages\swpm-sv_SE.po
    wp-content\plugins\simple-membership\languages\swpm-tr_TR.po
    wp-content\plugins\simple-membership\languages\swpm-zh_CN.po
    wp-content\plugins\simple-membership\languages\swpm-zh_Hans.po
    wp-content\plugins\simple-membership\languages\swpm.pot

    Thanks

    May 3, 2016 at 11:15 pm #6804
    mbrsolution
    Moderator

    Thank you for providing more information. The plugin developers will investigate further your question and request.

    Thank you

    May 13, 2016 at 6:23 am #6879
    admin
    Keymaster

    Please read my reply from the following post which has some explanation:
    https://simple-membership-plugin.com/forums/topic/upping-important-features-request

    July 16, 2016 at 9:32 pm #7477
    pace
    Participant

    Hi, I do love the plugin, but I also have a couple of security concerns.

    A stated above the plugin tell any attacker if a username was found or not. There is an additional issue though. The Wordfence plugin is a widely adopted security plugin that monitors and audits (among other things) successful and failed logins… It would be extremely useful if this plugin could work alongside security plugins like this, enhancing its operation.

    Kindest of regards,

    Pace

    July 16, 2016 at 9:41 pm #7478
    pace
    Participant

    As a work around for the above login security problem, it would be fairly easy to simply use the wp-login page with customised interface…

  • Author
    Posts
Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.