Admin Tools for WordPress

#31399 – More information in Security Exceptions Log

Posted in ‘Akeeba Admin Tools for WordPress’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Wednesday, 29 May 2019 03:44 CDT
I use the Admin Tools for WordPress some time now. Although I am satisfied about this plugin I do have a feature request to ask. In the Security Exceptions Log I like to see more information for example about the Login failure message. I am interested in the username used to try to log in resulting in this Login failure state.

I use the Admin Tools on sites with lots of users and don't want to use another plugin to see which users tried to login in and failed.

Do I missed this option in the settings?
Wednesday, 29 May 2019 04:50 CDT
We did use to have that feature. Then GDPR happened. Storing the IP address together with a username deanonymizes the IP, making it illegal to collect and store. We can definitely add a switch to re-enable that feature but please bear in mind that toggling that switch makes your site non-GDPR compliant which may carry a fine of up to 4% of your global income or 20 million Euros, whichever is higher.

I'd also like to note that this information is useless anyway which is why we had not considered that feature a priority, at all.

Let's say you know that they are trying to log in, repeatedly, with a username which does not exist. You're probably going to blacklist that IP. Of course that IP will be released and belong to someone else, an innocent person, in the future. The attack was doomed to fail and all you ended up doing is blacklist an IP of a potential future visitor for no reason. It's best if you let Admin Tools auto-block the IP of the attacker.

Otherwise, let's say that it's a real user of your site. You might wonder where that came from. Stupid wannabe hackers will use a predefined list of common usernames. Semi-intelligent hackers will use your site's Authors page, if it's not disabled. Smart hackers will simply use WordPress' JSON API to find your site's usernames. So, your username is essentially public, no wonder hackers have it. What would you do? Keep changing your username? Because of the leaky API it doesn't matter; they will find the new username again -- and because it's linked to your email they will know not to start over the brute force attack.

Therefore knowing the username the hacker is trying to use doesn't help you any. The only two things you can do to prevent password brute forcing are 1. very long, random passwords (I recommend 64 randomly generated characters from the sets a-z, A-Z, 0-9 and special characters) and 2. two factor authentication / two step verification.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic

Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 22 July 2019 17:17 CDT
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.