|
calex
|
March 2, 2016 at 8:07 am
The latest upadate triggers login notifications from other plugin like Limit login attempts and Loginizer. It only occurs when EE is activated and only since the most recent update. This could cause some users to be blocked from their own sites.
Please investigate.
|
|
Josh
|
March 2, 2016 at 12:17 pm
Hi there,
To be clear, you’re reporting that this started happening after the update from Event Espresso 4.8.34.p to 4.8.35.p? If you revert to 4.8.34.p does the issue go away?
|
|
calex
|
March 2, 2016 at 1:26 pm
Josh,
Ok, I hadn’t updated for a while but the last working version was 4.8.33.p. I havn’t tried reverting as I wasn’t sure if there were any chage to the database that might conflict by doing so.
What happens is when logged in the security pluggins trigger the lockouts from the ip you are logged in from.
Additional notes the user names from the htpassword protection on wp-login.php are being logged along with the ip og the logged in user.
I have tried a different computer and the same thing occurs.
Regards
|
|
calex
|
March 2, 2016 at 1:28 pm
Also, if you hit refresh on the browser it keeps increasing up the lockouts one at a time.
|
|
calex
|
March 2, 2016 at 1:29 pm
I did try disabling EE and the lockouts stopped.
|
|
Josh
|
March 2, 2016 at 1:45 pm
No change to the database from version 4.8.33. I’ve installed the Limit Logins plugins and I’m not seeing any of the issues you’ve described. Can you outline the specific steps to reproduce the issue?
|
|
calex
|
March 2, 2016 at 2:02 pm
Do you have ssl and htpassword on wp-login?
Literally, clicked update from 4.8.33 to latest version then starte getting the emails from the lockout.
I will try reverting too.
Cheers for looking at this.
|
|
Josh
|
March 2, 2016 at 2:13 pm
No I don’t have SSL and htpassword on wp-login. We do have limit login attempts installed on demoee.org and we’re not seeing login attempts being triggered there either.
|
|
calex
|
March 2, 2016 at 2:14 pm
Another thing I noticed… The EE promotions plugin diabled self. I noticed it earlier but didn’t think much and activated it – and now later I find it off again. Any ideas??
|
|
Josh
|
March 2, 2016 at 2:30 pm
The Promotions add-on will self disable if either the current version of Event Espresso isn’t compatible with the version of Promotions, or if Event Espresso core is deactivated.
|
|
calex
|
March 2, 2016 at 2:33 pm
I reverted to 4.8.33 and all seems ok, for now.
I noticed the promotion plugins being off after updating and off again later.. This is strange.
|
|
Josh
|
March 3, 2016 at 8:58 am
Do you happen to have any other plugins activated on your site that set cookies in the browser?
|
|
calex
|
March 3, 2016 at 10:21 am
Apart from EE –
Adminimize
All in one SEO
Contact form 7
Loginizer – (I tried ‘Limit login attempts’ and got the same issue)
Simple custom post order
Toolset Type
The theme is really light too not many functions.
I was testing last week:
/* Auto logout
function kc_cookie_expiration( $expiration, $user_id, $remember ) {
return $remember ? $expiration : 480;
}
add_filter( 'auth_cookie_expiration', 'kc_cookie_expiration', 99, 3 );*/
// Event Espresso
This was commented out and I had the same effect on a fresh machine?
Could it be SSL related – perhaps the htpassword conflicting between http and https. My admin is forced to SSL but if the htpassword box was accessed via http would that cause an issue?
The weird thing was that the user name from the htpassword was being passed to the wp-login.
I checked the logs and could see anything out of the ordinary.
|
|
Josh
|
March 3, 2016 at 10:27 am
My admin is forced to SSL but if the htpassword box was accessed via http would that cause an issue?
One way to rule that out would be temporarily disable the htpassword box to see if that makes a difference.
|
|
calex
|
March 4, 2016 at 3:40 pm
Ok Josh – I have done some testing with this.
There seems to be a conflict with the new version of EE if a htpassword cookie/session is active/stored in the browser. The presence of the htpassword session sends the brute force plugins crazy – thinking it is under attack on ever refresh by the logged in user.
It only occurs after updating from 4.8.33.
Htpassword on wp-login.php and login limiting plugins are pretty standard in protecting a WordPress site. Could you please look into this so we can update EE.
Many thanks.
|
|
Josh
|
March 7, 2016 at 7:03 am
Hi there,
What we can do is add something to Event Espresso so that it ignores those cookies. In the meantime, can you disable setting the cookies for htpassword?
|
|
calex
|
March 7, 2016 at 7:21 am
Josh,
I think I may wait for the update rather than mess with the cookies.
Please let me know when you think it may be sorted.
Thanks for looking at this again.
|
|
Josh
|
March 7, 2016 at 8:51 am
You’re welcome.
|
|
calex
|
March 14, 2016 at 4:51 pm
Hi, is there an ETA for this bug fix? Thanks.
|
|
Josh
|
March 15, 2016 at 7:50 am
The fix has been merged to the Master branch. We’ll be releasing an update this week (the release will be a current snapshot of Master). You’re welcome to try the current Master branch that you can download from our Github repository right now:
https://github.com/eventespresso/event-espresso-core/
|
|
calex
|
March 15, 2016 at 8:01 am
Josh,
Great news…
Good to know but I will wait for the update – the admins can so it then.
Many thanks.
|
|
Josh
|
March 16, 2016 at 4:33 pm
The fix was included in the Event Espresso 4.8.36.p update, which was released earlier today.
|
|
calex
|
March 19, 2016 at 7:20 pm
Josh,
The fix didn’t solve the issue – it still keeps doing it (had to revert again). Can you please look at this again so I can use the update?
Thanks
|
|
calex
|
March 22, 2016 at 4:32 am
Any idea what happened? I couldn’t see the fix on the change log…
|
|
Josh
|
March 22, 2016 at 6:23 am
The fix was listed as “Cookie-proof the Request classes”. Do you have a test server where you can clone the site to troubleshoot the issue further? The reason I ask is because we cannot reproduce the issue on any of our testing servers.
|
|
calex
|
March 22, 2016 at 8:01 am
Josh – I dont have access to another domain with ssl so the test enviroment wouldn’t be the same. Did you try with https and admin forced to SSL?
The key things are:
Latest version of wordpress
EE latest version
ssl
htpassword on wp-login
Loginizer (limit login attempt did the same)
|
|
Josh
|
March 22, 2016 at 8:04 am
Yes I tried with https and admin forced to SSL.
|
|
calex
|
March 22, 2016 at 8:10 am
The code being used for admin ssl:
define( 'FORCE_SSL_ADMIN', true );
|
|
calex
|
March 22, 2016 at 8:13 am
The brute force prevention I am using.
https://wordpress.org/plugins/loginizer/
The trouble is the site is live and I don’t want to disrupt it.
|
|
Daniel
|
March 23, 2016 at 12:27 pm
Hey, I actually have the same problem. I thought the problem was originally related to the plugin Login With Ajax, however after further investigation, the problem persists. I have tried both Loginizer and Limit Login Attempts. My problem is exactly the same. Every time I refresh the login attempts, I get more failed login attempts. I’ve set the failed login counter really high now to avoid locking myself out, but I can’t do that once the site goes live.
My set up is pretty vanilla out of the box. Event Espresso, Calendar, Events Table View, Promo, Social Sharing, WP User, Sparkpost (email smtp), WP Google Map, Contact Form 7.
Need a fix ASAP please.
|
|
Daniel
|
March 23, 2016 at 12:29 pm
I’ve tried Loginizer, it results in 3 failed login attempts every time I refresh the login page. I’ve tried Limit Login Attempts, it results in 2 failed login attempts every time I refresh the page. Login With Ajax is uninstalled, problem still persists with either of the plugins.
If you need any troubleshooting data, lmk and I will try to help.
|
|
Daniel
|
March 23, 2016 at 12:29 pm
Using the vanilla Iced Mocha theme.
|
|
Daniel
|
March 23, 2016 at 12:32 pm
Also, I am not using SSL. Sorry for all the short posts.
|
|
Josh
|
March 23, 2016 at 1:39 pm
Either or both of you are welcome to try the branch that you can download from our github repository that removes Event Espresso from the login requests:
https://github.com/eventespresso/event-espresso-core/tree/FET-9491-detect-login
|
|
calex
|
March 24, 2016 at 4:17 pm
Josh,
Will this be updatable?
@Daniel – do you have this setup on a testing server Josh could look at?
I’m sure others must be having this issue please let us know so we can get a fix – many thanks to all.
|
|
Daniel
|
March 24, 2016 at 6:37 pm
Certainly, @Josh lmk if you’d like to have a look and I’ll send you server creds. In the meantime, I’ll see if I can figure out how to implement your branch code and give it a try.
|
|
Josh
|
March 24, 2016 at 7:20 pm
You can install the branch on your site by downloading the zip file from the Github page and remove the official release from your site and replace it with the branch.
Once the branch is finished with testing, its changes will be included in a future official release.
|
|
Daniel
|
March 25, 2016 at 9:46 am
This sounds kind of stupid, but perhaps I can test on another server? (stupid, because I won’t be able to replicate my environment) I’m hosted at Flywheel and therefore haven’t SSH access. Unzipping and uploading probably 1000 files by SFTP isn’t going to be a fun operation. I can’t just wget and tar -zxvf in the CLI.
|
|
Josh
|
March 25, 2016 at 9:57 am
No need to unzip and upload by FTP. You can use WordPress Plugins screen to upload the plugin zip file and WordPress will handle the rest.
|
|
Daniel
|
March 25, 2016 at 10:29 am
No kidding! I’m over thinking it :p
Great news. I uploaded the new branch and it seems to work as it should. Only one failed login attempt per try. Version 4.8.38.rc.002 is a win!
Thank you for the quick fix Josh. So the next release should have the update I guess?
Btw, I cloned my site for testing and noticed the “you need a valid license key” warning. Just FYI (because I’m not trying to re-use my key), I hope I didn’t break my license. 🙂
|
|
Daniel
|
March 25, 2016 at 10:30 am
I mean, I saw that license warning on the cloned site. The original site looks as normal.
|
|
Josh
|
March 25, 2016 at 11:42 am
You can go into the Event Espresso > General Settings page on the clone site and blank out the key field there, then save, and the warning will go away.
|
|
calex
|
March 25, 2016 at 11:52 am
@Daniel any chance you could add htpassword to your wp-login.php in .htaccess?
<FilesMatch "wp-login.php">
ErrorDocument 401 default
AuthName "Member Only"
AuthType Basic
AuthUserFile /add-the-path-to-your-password-here/.htpasswd
require valid-user
</FilesMatch>
It would be good for Josh to see that.
You can use http://www.htaccesstools.com/htpasswd-generator/ to help create the .htpasswd file credentials then update the server path to them in the code above.
|
|
calex
|
March 29, 2016 at 5:04 am
Hi Josh,
Has the github link above been merged because I could not get access to the download.
Also, I can be sure this issue is nothing to do with SSl – I managed to reproduce on a friends server with a quick test.
Please let me know what is happening with this…
|
|
Josh
|
March 29, 2016 at 9:39 am
Hi there,
The branch was merged to Master. Master branch can be downloaded from:
https://github.com/eventespresso/event-espresso-core
|
|
calex
|
March 29, 2016 at 10:22 am
Josh,
I have just tried the download – the problem is still occuring.
Not fixed.
Any suggestions???
|
|
Josh
|
March 29, 2016 at 11:27 am
No I don’t have any further suggestions at this time. The current master branch does not load any code when the wp-login.php script loads.
|
|
calex
|
March 29, 2016 at 11:43 am
What you speak of was only part of the problem now the master branch has solved that issue on that page only (wp-login.php). I think the problem is caused by scripts loaded in the actual admin area by EE- causing conflict with session cookies – in my case htpassword. This upsets the brute force plugins as they think they are being attacked on every refresh. We really need a fix for this and I don’t see why we should drop security.
|
|
Josh
|
March 29, 2016 at 1:14 pm
Why do you have htpassword loading in the actual admin area?
|
|
Daniel
|
March 29, 2016 at 1:29 pm
i can only comment that it works great for me using Loginizer now, sorry i can’t test the .htaccess
if i was running my own server (not Flywheel or other shared hosting), rather than .htaccess — it’s not a bad idea, but i’d probably just monitor the logs and add a deny rule to iptables using BFD that would block hammering the server. typically i use APF + BFD. more configurable that way, including sending alerts using something like Scalyr / OpsGenie. probably overkill for a WP site, but it all depends how mission critical it is to you.
|
|
calex
|
March 29, 2016 at 1:49 pm
Correct me if I am wrong… When you authenticate with htpassword it creates a session cookie so you don’t have to login every time you hit that page – If the cookie/session expires or you close the browser you login to htpassword again.
The active htpassword session will be with the browser when you are navigating the admin (not loading it) and why shouldn’t it be? I wouldn’t want to keep authenticating every time I hit that page.
Wordpress recommends using htpassword to protect wp-login.php https://codex.wordpress.org/Brute_Force_Attacks as a way to bolster basic security along with brute force plugins (pretty standard stuff).
Once you have logged in and have the htpassword cookie saved in your browser the brute force plugins conflict with the latest EE changes. If you go to the brute force plugin settings page page and hit refresh in your browser the login attempts just keep increasing. Whatever EE is now doing to cookies means that htpassword cookies/sessions are now seen as a login attempt.
EE was fine before it changed to conflict with admin cookies/sessions why is this needed anyway?
I dont think this is an unreasonable request to get this fixed. EE is a nice bit of kit and you guys do a great job in responding to support requests – I just want this back working.
I appreciate your help.
|
|
Josh
|
March 29, 2016 at 1:54 pm
Whatever EE is now doing to cookies means that htpassword cookies/sessions are now seen as a login attempt.
Are you sure that EE is doing something to the cookies?
|
|
calex
|
March 29, 2016 at 2:10 pm
I did basic install on a friends server
Latest WordPress
EE
Loginizer
Htpassword on wp-login.php
Theme: Adamos
Nothing else.
All was fine with 4.8.33 – I deleted the plugin and downloaded the latest master from Git and uploaded. Loginizer started racking up brute forces on every refresh – I disabled EE and it stopped. The credentials used for the htpassword are seen as the login attempt in the email report.
All I can be sure of is that this isn’t happening with 4.8.33.
|
|
calex
|
March 29, 2016 at 2:16 pm
Just to add.
i.p in the report is that of the authenticated computer/browser and this happens on other machines and browsers.
|
|
calex
|
March 29, 2016 at 4:24 pm
Update – I have done some further testing and found that Loginizer has an update 1.1.0. I have used this with the Git release 4.8.39.rc.026 and it seemed ok the problem stopped. I need to see if this will work with other versions but I could be on to a fix. Thanks for your help, I will let you know how things go with it.
|
