[wp-hackers] Author URLs expose usernames

Rob Miller rob at bigfish.co.uk
Thu Jul 19 08:38:05 UTC 2012


On Thursday, 19 July 2012 at 09:10, Andrew Spratley wrote:

> You'd also tie up you php processes for 30s as well. I could hit your
> site from a collection of IPs and DOS you pretty quickly I'd imagine.
> It's best just to drop their connection either from within WP or
> integrate into iptables/fal2ban or something similar.
>  
>  

The point of this approach is usually to avoid showing a message to the user or to in any way actually *block* the attempt, but rather just to increase the amount of time taken to achieve it — similar to the philosophy used by hashing schemes like bcrypt with their concept of "work".

That way, if it *is* a legitimate user, who really does take ten attempts to remember their password, they're never blocked (and therefore never need manual intervention to unblock); they just have to wait a bit longer for the login to process.

But yes, as Andrew points out, you're opening yourself up to a DOS since it becomes trivial to get all of your Apache/php-fpm processes tied up at once, which means any new requests would be denied. So it's unfortunately not viable, as perhaps elegant as it would be.  

--

Rob Miller
Head of Digital

big fish®
11 Chelsea Wharf
15 Lots Road
London
SW10 0QJ
  
Office number: +44 (0)20 7795 0075
Direct number: +44 (0)20 7376 6799

www.bigfish.co.uk (http://www.bigfish.co.uk/)







More information about the wp-hackers mailing list