S2Member login does not trigger wp_login event?

I’m trying to track user logins so that I can see how many times each user has logged in, how long they were online, etc., but the only plugin I have found that does this well relies on wp_login event to trigger.

It seems that whenever an admin logs in, wp_login event triggers and the tracking plugin works as intended, but whenever an member logs in of member type S2Member Level 1, S2Member Level2, etc… they do not trigger a wp_login event and are not tracked. This is using the exact same login page.

The plugin I am using to track user logins is User Login History and you can see the dev’s very nice reply helping to isolate the problem in this support thread: https://wordpress.org/support/topic/only-logging-admin-logins/

I’d appreciate any advice on how to meet our tracking needs. Thanks!

I suspect the bug is actually in the other plugin because other logging plugins have no trouble detecting logins by those with s2Member roles. I suspect that the other developer is using the wrong hook. I believe it should be wp_authenticate

Thanks, Tim, I appreciate the help.

You mention other logging plugins having no trouble detecting logins. Could you recommend one? We tried WP Security Audit Log and it has the same trouble. It will log other s2Member role user activity, and it logs admin logins, but not the logins from s2Member role users.

There are others, but Simple History is my current favorite.

Thanks Tim.
I installed Simple History and tried it, but am having the same problem. Can you confirm that Simple History is recording the log-ins of s2Member custom role members on your sites? My s2Member Level 1 and Level 2 users are not recorded as logging in, only when they log out (which many do not do, they just close the browser).
Simple History, like the others, is catching when an admin logs in, but not an s2Member Level ___ user.
Again, I very much appreciate your help! I’m just trying to find a way to log ip addresses on users when they log in to help us verify compromised accounts.
Btw, I also tried WP Audit Log History, which is pretty robust, and it had the same problem.

I already have checked, and it’s recording their logins with no problem.

But you made me wonder. I realize that I am using my own login form, not wp-login
php. So maybe that’s why it all works for me.

Try this: go into Simple History and find the file loggers/SimpleUserLogger.php. On line 112, change wp_login to wp_authenticate and save. Does it work now?

Thanks!! That does seem to be working.
I am now getting some additional “Unknown user logged in” notices – they seem to be generated whenever the wp-login.php page is loaded. Maybe it’s s2Member trying to authenticate if someone is already logged in?
In any case, at least now I can see s2Member user logins.
Thanks so much!!

Right. As I thought, wp_authenticate is the correct hook, and not wp_login. I made the mistake of thinking that the other logging plugins had it right, but it appears that none of them do(!) and that I was getting good results because of my custom form.

The problem with using the hook wp_login is that it runs after wp_authenticate, and that the latter involves what WP calls a pluggable function. That means that it is explicitly designed to be capable of being overwritten by a plugin. s2Member overwrites it so as to redirect those with s2Member roles to the Login Welcome Page (or whatever the user sets in s2Member), which means that wp_login never fires for such roles.

This doesn’t cause me a problem with my custom login form because it uses wp_login.

So, as I said, it’s the logging plugins that have it wrong. They should be using the wp_authenticate hook.

Hmm, the plot thickens! I have just tried using the default wp-login.php form with the s2Member Login Welcome Page set, and no modifications to Simple History, and it recorded logins by a member at s2Member Level 1 with no problem.

So I think there is something else happening on your site, and the wp_login hook looks like it’s fine.

Interesting! I’ll chat with the person who setup our login page and see if she has any ideas on what might be causing this. It’s happening on two sites we run that have different login customization plugins, but it might be some setting in s2Member or maybe even something like iThemes Security Pro, I suppose.

iTheme Security? Oh, no! There are so many reports of problems with that plugin. I would ask what it is supposed to help with. If you are using the default wp-login.php, I would strongly recommend WPBruiser instead.

iThemes Security Pro has been a solid all-around security solution for us. We’ve been using it for about 18 months and so far, all smooth sailing. Pricing was good, and it plays nice with BackupBuddy, which some security software does not (looking at you, WordFence).

I can’t speak to other peoples troubles, but it does helps us set some basic security features, handle malware scans, block brute force attacks, ensures secure logins, does 2-factor auth on admin accounts, etc.

We don’t have any user commenting on our sites, so don’t need the anti-spam that WPBruiser seems to be focused on.

I don’t like Wordfence either: they are great at salesmanship, weak on actual security.

I think you’re misguided in your impression of WPBruiser. While it certainly does guard against spam comments, it also deals with brute force attacks (as, in fact, does s2Member itself if you choose the appropriate setting), blocks dangerous proxy IPs and user enumeration, disables XML-RPC, and a variety of other things. (Pricing is even better: it’s free!)

As for 2FA, I’d choose either of the plugins associated with David Anderson over anything produced by iThemes. (I’m definitely not a fan of Backup Buddy. Updraft Plus, by Anderson and his team, has proved way more robust for me.)

I appreciate your opinion, Tim, and your assistance with the wp_authenticate hook. We’ll stick to BackupBuddy and iThemes Security Pro. They are both working very well for us, they have the functionality we need, and we have lifetime updates on the pro versions with no annual cost with both of them. If they cease to please us for any reason, we’ll take a look at your suggestions.
Best wishes and thanks again.