[wp-hackers] Securing Wordpress Login

Arne Brachhold himself at arnebrachhold.de
Mon Aug 21 23:19:57 GMT 2006


Sean Hickey wrote:
> Changing the person's password after X number of tries might not work [...]

Changing a users password after several tries is no option because it
gives the "hacker" the possibility to change something... I don't want
to get a new password every day just because someone tries to guess
it.

> I have a hard time imagining WP ever putting a CAPTCHA check on the
> login page, since that is an accessibility problem.

I would prefer a wait time after 3 unsuccessful times, like a
sleep(20); or something similar. If somebody tries to login more than
five times you can normally be sure that he's not the right user... or
does anybody of you have more than five different passwords? Even Matt
had just one for everything ;)

> I think the only real option is to disable the account [...]

Locking an account is also not good. I still want to be able to log in
and post / change my password even if somebody tries to break into my
blog.

Maybe one of the next WP versions could include a simple password
check at the setup / user administration marking a password as "Good",
"Middle" or "Bad" while typing so the user can decide to use his
standard insecure 4 character password or another one.

-- 
Arne Brachhold
mail:  himself at arnebrachhold.de
web:   http://www.arnebrachhold.de/


More information about the wp-hackers mailing list