back to article WordPress two-factor login plugin bug, er, bypasses 2-factor login

The maker of a popular plugin that provides two-factor authentication for WordPress bloggers is preparing an update – after finding a vulnerability in its system. It advises that anyone using two-factor plugins from any vendor need to check their security strength. Duo Security's duo_wordpress plugin is vulnerable in some …


This topic is closed for new posts.
  1. Ole Juul

    Just curious

    Why would anybody except a single admin have to log into a WordPress site? Users can participate in the discussion without logging in. I've seen sites where there is an ability for users to log in, but am unaware of any practical use for that. I host a number of WordPress sites myself, and haven't found that "feature" useful.

    1. DropBear

      Re: Just curious

      That's not how I remember it. Maybe it's a non-usual approach but I definitely had to log in to several Wordpress blogs just to post a damn comment - annoying, for sure.

      1. Ole Juul

        Re: Just curious

        You set it up the way you want. The WP menu looks like this:

        Before a comment appears

        - Before a comment appears An administrator must always approve the comment

        - Comment author must have a previously approved comment

        Chose the second one and it's easy to administer. I've set them up that way for years. Having people "sign up" to your blog is just a silly idea in most cases. As far as I can tell, the only reason for multiple logins is if there are multiple authors or it's a private blog with no public access. Neither of those two are very common.

      2. Mike Flugennock

        Re: Just curious

        Recently one of my favorite blogs, run on WordPress, spent weeks cleaning up after a massive trackback and comment spam attack and now requires commenters to log in, and I'm totally cool with that, if it means lucid, quality comment threads free of spam and trollage.

        About five years or so ago, when I migrated my cartoon site from an old-style static HTML site over to a WordPress blog installation, the first thing I did was to disable comments by default, based on what I'd seen happening in the comment sections of several other blogs I read. I just didn't have the motivation or time to spend moderating flamage or scraping out all the spam. I also ended up having to disable trackbacks as well, as almost all of my trackbacks were pointing back to skeezy dating sites or counterfeit Louis Vuitton accessory shops.

    2. phuzz Silver badge

      Re: Just curious

      Some sites have multiple authors, or you might have an admin login to support a blog set up for someone else.

  2. M Gale


    That a scary version of saying "type the URL into the address bar"?

  3. Zmodem

    should have used null nuke, it has double encrypted cookies, the only way for anyone to know your password is for you to have a simeple password, not steal your cookie etc, the cookie is stored on the local computer with base64_encode, and a encypted string beneath which gets sent to the server and only gets unencypted if the cookie pass key set serverside is the same as when the cookie was encrypted, else it return null and logs you out

    some makeclickable bug to fix and v2.1 gets released and takes over the world in 2 weeks or so time

    1. Zmodem

      2.1 can be downloaded from

      the cookie passkey is set in the back end configuration

      make clickable bug still exists, not sure if its paypal html with preg_replace_callback or the bbcode sanitizer, everythings works with include files in sideblocks anyway

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022