WordPress two-factor login plugin bug, er, bypasses 2-factor login The maker of a popular plugin that provides two-factor authentication for WordPress bloggers is preparing an update – after finding a vulnerability in its system. It advises that anyone using two-factor plugins from any vendor need to check their security strength. Duo Security's duo_wordpress plugin is vulnerable in some …
Why would anybody except a single admin have to log into a WordPress site? Users can participate in the discussion without logging in. I've seen sites where there is an ability for users to log in, but am unaware of any practical use for that. I host a number of WordPress sites myself, and haven't found that "feature" useful.
You set it up the way you want. The WP menu looks like this:
Before a comment appears
- Before a comment appears An administrator must always approve the comment
- Comment author must have a previously approved comment
Chose the second one and it's easy to administer. I've set them up that way for years. Having people "sign up" to your blog is just a silly idea in most cases. As far as I can tell, the only reason for multiple logins is if there are multiple authors or it's a private blog with no public access. Neither of those two are very common.
Recently one of my favorite blogs, run on WordPress, spent weeks cleaning up after a massive trackback and comment spam attack and now requires commenters to log in, and I'm totally cool with that, if it means lucid, quality comment threads free of spam and trollage.
About five years or so ago, when I migrated my cartoon site from an old-style static HTML site over to a WordPress blog installation, the first thing I did was to disable comments by default, based on what I'd seen happening in the comment sections of several other blogs I read. I just didn't have the motivation or time to spend moderating flamage or scraping out all the spam. I also ended up having to disable trackbacks as well, as almost all of my trackbacks were pointing back to skeezy dating sites or counterfeit Louis Vuitton accessory shops.
should have used null nuke, it has double encrypted cookies, the only way for anyone to know your password is for you to have a simeple password, not steal your cookie etc, the cookie is stored on the local computer with base64_encode, and a encypted string beneath which gets sent to the server and only gets unencypted if the cookie pass key set serverside is the same as when the cookie was encrypted, else it return null and logs you out
some makeclickable bug to fix and v2.1 gets released and takes over the world in 2 weeks or so time
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
