Feeds

back to article WordPress two-factor login plugin bug, er, bypasses 2-factor login

The maker of a popular plugin that provides two-factor authentication for WordPress bloggers is preparing an update – after finding a vulnerability in its system. It advises that anyone using two-factor plugins from any vendor need to check their security strength. Duo Security's duo_wordpress plugin is vulnerable in some …

COMMENTS

This topic is closed for new posts.
Silver badge

Just curious

Why would anybody except a single admin have to log into a WordPress site? Users can participate in the discussion without logging in. I've seen sites where there is an ability for users to log in, but am unaware of any practical use for that. I host a number of WordPress sites myself, and haven't found that "feature" useful.

0
0
Silver badge

Re: Just curious

That's not how I remember it. Maybe it's a non-usual approach but I definitely had to log in to several Wordpress blogs just to post a damn comment - annoying, for sure.

0
0
Silver badge

Re: Just curious

You set it up the way you want. The WP menu looks like this:

Before a comment appears

- Before a comment appears An administrator must always approve the comment

- Comment author must have a previously approved comment

Chose the second one and it's easy to administer. I've set them up that way for years. Having people "sign up" to your blog is just a silly idea in most cases. As far as I can tell, the only reason for multiple logins is if there are multiple authors or it's a private blog with no public access. Neither of those two are very common.

0
0
Bronze badge

Re: Just curious

Some sites have multiple authors, or you might have an admin login to support a blog set up for someone else.

1
0
Bronze badge

Re: Just curious

Recently one of my favorite blogs, run on WordPress, spent weeks cleaning up after a massive trackback and comment spam attack and now requires commenters to log in, and I'm totally cool with that, if it means lucid, quality comment threads free of spam and trollage.

About five years or so ago, when I migrated my cartoon site from an old-style static HTML site over to a WordPress blog installation, the first thing I did was to disable comments by default, based on what I'd seen happening in the comment sections of several other blogs I read. I just didn't have the motivation or time to spend moderating flamage or scraping out all the spam. I also ended up having to disable trackbacks as well, as almost all of my trackbacks were pointing back to skeezy dating sites or counterfeit Louis Vuitton accessory shops.

0
0
Silver badge

"force-browse"

That a scary version of saying "type the URL into the address bar"?

3
0
Bronze badge

should have used null nuke, it has double encrypted cookies, the only way for anyone to know your password is for you to have a simeple password, not steal your cookie etc, the cookie is stored on the local computer with base64_encode, and a encypted string beneath which gets sent to the server and only gets unencypted if the cookie pass key set serverside is the same as when the cookie was encrypted, else it return null and logs you out

some makeclickable bug to fix and v2.1 gets released and takes over the world in 2 weeks or so time

0
0
Bronze badge

2.1 can be downloaded from http://sourceforge.net/projects/nullnuke/

the cookie passkey is set in the back end configuration

make clickable bug still exists, not sure if its paypal html with preg_replace_callback or the bbcode sanitizer, everythings works with include files in sideblocks anyway

0
0
This topic is closed for new posts.