[wp-hackers] Securing Wordpress Login

Rob Miller r at robm.me.uk
Tue Aug 22 17:56:24 GMT 2006


Jeff Minard wrote:
> Robert Deaton wrote:
>   
>> And someone who wants to stop you from using your blog just issues a
>> login attempt with your username every 19 seconds, and you're locked
>> out.
>>     
>
> I agree. It seems stupid to punish the user's account for the actions of
> a would be hacker.
>
> I'd much rather see the IP logged three times, and then simply blocked.
> This would eliminate a lot of the db overhead of locking an account and
> continuing to check it each time. Log the attempts, grab some data about
> it and keep it around.
>
> Just block the offending IP and be on with life. Not sure how you handle
> a very advanced cracker, ie, one that uses multiple IP's.
>
>
>   
By telling people their passwords are weak in the admin interface, and 
if they get compromised after that saying "well, you should have had a 
strong password like we advised".

There's only so much that is WordPress's responsibility here.

-- 
Rob Miller
http://robm.me.uk/ | http://kantian.co.uk/



More information about the wp-hackers mailing list