Website accepting blank and incorrect passwords

[devpatel]

I have a modern child theme installed and have been experiencing some serious issue. A user is able to login to the website even with blank or incorrect passwords. I have got my website checked and it is clean there is no Malware issue. Please help as soon as possible as it is a very serious security concern.

[sandy]

This is weird. 1. Make sure the Modern child theme (2.1), WPLMS theme, all the plugins are updated to latest version. 2. Have you installed any third party plugin for login. If yes, try deactivating the plugin. Also can you please share site url with admin credentials to check the issue. If there is any specific scenario we should test, let us know. Make sure to mark reply as private when sharing credentials.

[devpatel]

Yeah This is really very bad, But we got the issue and resolved it. I want to let you know full story. Issue :-  If we enable one session per user from LMS→ settings → Enable One session per user,  It works fine but it raised one issue for us, What user do they login from one browser and they shutdown there system without logout from our website, if so then again if they one to our site it throws an error (User already login),  This is one of the case, There is another issue in that if user closes his browser without logged out then if he again want to access our site then he needs to login but in that case user got an error (User already login). For user re-logged in we need to manually logout from admin panel after that they can login We are getting this issue very often, So we tried to fix it By putting following code :-   add_filter('authenticate', 'wpse_12282015_single_login_authenticate', 0, 3); function wpse_12282015_single_login_authenticate($user, $username, $password) {  $user =  get_user_by('login', $username);       if( $user && wp_check_password( $password, $user->data->user_pass, $user->ID) ){          if(isset($user->roles) && is_array($user->roles)) {               //check for admins             if(in_array('administrator', $user->roles)) {                   // admin can log in more than once                 return $user;             } else {          // get all sessions for user         $sessions = WP_Session_Tokens::get_instance($user->ID);           // destroy everything since we'll be logging in shortly         $sessions->destroy_all();  return $user; }    }      } else { }   } By This code we are destroying sessions of the user before creating new one in functions.php of the modern theme, This resolved the issue we were facing earlier, But this raised new issue Now user is not able to logged in from social (Fb, G+).  So please help me to resolve it. We just want to get rid of  logout users from admin panel every time, Please provide us appropriate assistance.  

[H.K. Latiyan]

Originally the issue was that the wordpress is accepting the blank and incorrect passwords which has nothing to do with the one session per user. Also your topic is really confusing as originally you are saying that the wordpress is accepting the blank and wrong passwords and now you are saying that the wordpress is showing the user already logged in error. So please clarify your issue ?   Please remove your code you should not destroy the user sessions and this is interfering with the social login also, so I'll recommend you to remove it. We have added the cap of 30 minutes for one session per user, according to which if the user is inactive for 30 minutes then she gets automatically logged out and can again login after this 30 minutes. However if you want you can reduce this 30 minutes duration, refer: https://wplms.io/support/knowledge-base/adjusting-the-30-minute-login-window-for-one-session-per-user/

[devpatel]

Hello, Originally Issue was as I stated in the topic but meanwhile we resolved it but when we resolved it the solution raised a new issue, Its interfering Social Login, And the solution that you told me that 30 minute cap will not work for us. Actually we have lectures more than 2 hours (In Video Format)  So user mostly inactive while watching lectures, So if they are watching lectures then they will inactive for 30 minutes if they switches for next lecture then they have to login again, This will be a hustle for them that is what I don't want. Please elaborate your login cap time system, how it will work for our student and admin. Guys Do you have any contact no so we can directly call you or somewhere we can contact you for better description of the problem, So I think this can be a best way for both of us.

[H.K. Latiyan]

1) The original issue that anyone can login using the wrong password/blank password is not replicable on any of our test setups or on our demo sites also. We have the live modern theme demo and you can check yourself that the issue is not coming from the wplms theme. Therefore the solution that you used is wrong that's why I asked you to remove that code as this is not the solution to this issue. I understand that this is very serious security concern for you, but this is not coming from the theme. This might be coming from the third party plugin, so try deactivating the third party plugins.   2) According to the one session per user if the user is inactive for less than 30 minutes and tries to login again on some another device then the user will get the error. But if the user is on the same device and watching a video of 2 hours then she will not be logged out.

[devpatel]

This reply has been marked as private.

[Author]

Posts