[wp-hackers] Securing Wordpress Login

Jamie Holly hovercrafter at earthlink.net
Mon Aug 21 14:20:50 GMT 2006


There are hooks on the wp-login.php page, but going your route would
actually rely on hooking into the profile page since that is where passwords
are changed. Wordpress actually does a good job at generating the random
password when you first register so you wouldn't need to check there.

This would also be a working solution (I know some forum software uses this
same type of check). 

The other option would be to generate a plugin to invoke the captcha or
retry system and possibly distribute it with the core Wordpress just as an
option for people to secure their sites a little more.

Jamie Holly
http://www.intoxination.net

-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Brian Layman
Sent: Monday, August 21, 2006 9:52 AM
To: wp-hackers at lists.automattic.com
Subject: RE: [wp-hackers] Securing Wordpress Login

>Another option would be to have WordPress reset the user's password after 
>X number of failed login attempts.

I've always thought that this leads to a great attack vector: Invalidating a
small percentage of users passwords every other day.  Annoying the
membership of a site, rather than the site itself, could accomplish more
than a 1 time brute force break in with a lot less effort.  

Personally, I'd rather not see "retries" in the core, at least not on by
default.  I would advocate a "strong password" option that just checks for
length, and three out of the following four categories, when the password is
chosen:
1. Upper case letters
2. Lower case letters
3. Numbers
4. Symbols/punctuation


Is the login screen pluggable? I've never looked... 


_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list