[wp-hackers] Counting failed logins

[Aaron Brazell]

A "wp-error" hook would be useful in these situations.

--
Aaron Brazell
Editor/Writer, Technosailor.com
www.technosailor.com

-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Sam Angove
Sent: Monday, December 05, 2005 9:01 AM
To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] Counting failed logins

On 12/5/05, Podz <podz at tamba2.org.uk> wrote:
> I'm making an assumption that in order to get access to a blog it has 
> to be through wp-login.php and not some passing of a string, but is 
> there a way for failed logins to be counted ?

It's pretty easy to edit wp-login.php to do it, just call the log function
when wp_login() fails (around line 196). If you habitually watch your server
error log, something like "trigger_error('WP Login
Error: '. $user_pass, E_USER_ERROR);" would do it. A bit harder otherwise.

WP's error reporting is pretty terrible all around -- there's something very
wrong about a mature application producing error pages which say nothing but
"Cheatin' uh ?" -- but this probably isn't the right time in the release
cycle for an overhaul. :)

Another place logging would be good is the "die('GLOBALS overwrite attempt
detected');" in wp-settings.php -- just showing it to the attacker isn't
that helpful, but I'd very much like to know if someone's trying it. Or
trying to delete users. Or seeing any of the "hi, you are unspeakably evil"
errors, really -- most of the places WP just die()s.

Just a pluggable wp_error() wrapper for die(), maybe? It has the virtue of
simplicity, at least. It'd be nice to prettify errors too, though -- a
WP-wide wpdb::bail()? -- but that leads to templating etc., if only for the
frequent user-facing errors, like the comment-posting ones.

I'd also like a pony. ;)
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers


I choose Polesoft Lockspam to fight spam, and you?
http://www.polesoft.com/refer.html