[wp-hackers] Limit Login Attempts

Michael Donaghy mike at donaghy.biz
Tue Apr 16 19:43:54 UTC 2013


Agreed.  In fact, suspicious if the user doesn't exist all together. Could
be troublesome for some who accidentally enters in a username wrong, but
maybe there can be a way out of that use case.


On Tue, Apr 16, 2013 at 3:37 PM, William P. Davis <will.davis at gmail.com>wrote:

> +1 for something that immediately regards user as suspicious if they're
> probing an admin user that doesn't exist.
> Sent from my BlackBerry
>
> -----Original Message-----
> From: Abdussamad Abdurrazzaq <abdussamad at abdussamad.com>
> Sender: wp-hackers-bounces at lists.automattic.com
> Date: Wed, 17 Apr 2013 00:25:03
> To: <wp-hackers at lists.automattic.com>
> Reply-To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] Limit Login Attempts
>
> Delaying response times would lock up Apache processes that could be
> used to serve other requests. It is likely to back fire on you.
>
> On 16/04/13 23:12, Doug Smith wrote:
> > I like the approach of the Login Security Solution plugin in the way it
> enforces strong passwords and attempts to track both IPs and logins then do
> blocking, delays, and password resets.
> > http://wordpress.org/extend/plugins/login-security-solution/
> >
> > This particular distributed attack is mostly probing the user name
> "admin". It would seem that if a user with that name does not exist (since
> it's no longer a default) then the attempt could instantly be treated in
> the way the Login Security Solution plugin does but without waiting for
> repeated attempts. The delays would at least slow the attempts looking for
> an "admin" user.
> >
> > Doug
> >
> > On Apr 16, 2013, at 10:39 AM, wp-hackers-request at lists.automattic.comwrote:
> >
> >> Message: 5
> >> Date: Tue, 16 Apr 2013 11:39:48 -0400
> >> From: Chip Bennett <chip at chipbennett.net>
> >> Subject: Re: [wp-hackers] Limit Login Attempts
> >> To: "[wp-hackers]" <wp-hackers at lists.automattic.com>
> >> Message-ID:
> >>      <CAPdLKqd21azx7AA68mTgZ=r=AcoaXyZ+HAMri+pSjVn-jMS0=
> Q at mail.gmail.com>
> >> Content-Type: text/plain; charset=ISO-8859-1
> >>
> >> "Does that overlook something important?"
> >>
> >> Well, unless you whitelist your own IP address to bypass the login
> lockout,
> >> then if the brute-force attack attacks your actual username, you could
> find
> >> yourself locked out of your own site.
> >>
> >> Another solution is to .htaccess whitelist your own IP address for
> >> wp-login.php, but that may not exactly be a low-maintenance solution
> >> (dynamic IP addresses, logging in from multiple locations/IP
> >> addresses/devices, etc.).
> >>
> >>
> >> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
> >> <onlyunusedname at gmail.com>wrote:
> >>
> >>> I've been using something similar to what Jesse describes: limiting
> >>> attempts based on username so that I may disregard IP.  Does that
> overlook
> >>> something important?
> >
> > --
> > Doug Smith: doug at smithsrus.com
> > http://smithsrus.com
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list