Bug in Multisite Privacy plugin using password option

We've had problems implementing Multisite Privacy using the password option: essentially the password is not accepted, and our WPEngine provider uses Limit Login Attempts plugin which iterates, then bars us from logging in (even though we were only entering a password, not logging in). This issue has now been diagnosed as a Multisite Privacy plugin bug by the WPEngine support staff; see below. For now, I've disabled this privacy option under network settings but it would be extremely handy and is in fact right now desired by some of our sites. When can you fix the bug? I see Multisite Privacy was last fixed on 16 July.

Regards,

Jim P.

***

Hi Jim,

The current issue where users get locked out while trying to view a password protected sub-site seems to be coming from this bit of code found within the Multisite privacy plugin.

In sitewide-privacy-options.php on line 281:

if ( $current_blog->public == '-4' && isset( $_GET['privacy'] ) && '4' == $_GET['privacy'] ) {

add_filter('authenticate', 'wp_authenticate_privacy', 800, 3);

function wp_authenticate_privacy($user, $username, $password) {
$username = sanitize_user($username);
$password = trim($password);

if ( isset( $_REQUEST['redirect_to'] ) )
$redirect_to = $_REQUEST['redirect_to'];
else
$redirect_to = home_url();

if ( isset( $_POST['pwd'] ) ) {
$spo_settings = get_option( 'spo_settings' );
if ( $_POST['pwd'] == $spo_settings['blog_pass'] ) {
$value = wp_hash( get_current_blog_id() . $spo_settings['blog_pass'] . 'blogaccess yes' );
setcookie( 'spo_blog_access', $value, time() + 1800, $current_blog->path );
wp_safe_redirect( $redirect_to );
exit();
} else {
$errors = new WP_Error();
$errors->add('incorrect_password', __('ERROR: Incorrect Password', 'sitewide-privacy-options'), 'error');
return $errors;
}
}
$user = null;
if ( $user == null ) {
// TODO what should the error message be? (Or would these even happen?)
// Only needed if all authentication handlers fail to return anything.
$user = new WP_Error('authorization_required', __('Authorization Required: This blog requires a password to view it.', 'sitewide-privacy-options'), 'message');
}
$ignore_codes = array('empty_username', 'empty_password');
if (is_wp_error($user) && !in_array($user->get_error_code(), $ignore_codes) ) {
do_action('wp_login_failed', $username);
}
return $user;
}
}
This code runs when this page is viewed:

https://ds.lclark.edu/demo/wp-login.php?privacy=4

Here the authenticate filter is used, which is only suppose to run when a user submits the login form. For this plugin it runs every time the page is loaded, and because the password isn't filled out when you load the page it counts as one failed login attempt. Then the wp_login_failed action is ran which causes the second failed login attempt.

Based on what I found above this seems to be an issue with the Multisite privacy plugin (the same happens on staging) and I suggest sharing this with WPMU DEV.

Please let us know if you have any questions about this or need anything else from our end!

Jason Stallings
Support Engineer
My Office Hours | 10pm-9am CST Friday-Monday
WP Engine - Finely Tuned WordPress