[wp-hackers] Limit Login Attempts
Ian Dunn
ian at iandunn.name
Tue Apr 16 19:48:18 UTC 2013
PHP has levenshtein() and similar_text() to calculate how closely
related tow strings are to each other.
http://php.net/manual/en/function.levenshtein.php
http://www.php.net/manual/en/function.similar-text.php
On 04/16/2013 12:43 PM, Michael Donaghy wrote:
> Agreed. In fact, suspicious if the user doesn't exist all together. Could
> be troublesome for some who accidentally enters in a username wrong, but
> maybe there can be a way out of that use case.
>
>
> On Tue, Apr 16, 2013 at 3:37 PM, William P. Davis <will.davis at gmail.com>wrote:
>
>> +1 for something that immediately regards user as suspicious if they're
>> probing an admin user that doesn't exist.
>> Sent from my BlackBerry
>>
>> -----Original Message-----
>> From: Abdussamad Abdurrazzaq <abdussamad at abdussamad.com>
>> Sender: wp-hackers-bounces at lists.automattic.com
>> Date: Wed, 17 Apr 2013 00:25:03
>> To: <wp-hackers at lists.automattic.com>
>> Reply-To: wp-hackers at lists.automattic.com
>> Subject: Re: [wp-hackers] Limit Login Attempts
>>
>> Delaying response times would lock up Apache processes that could be
>> used to serve other requests. It is likely to back fire on you.
>>
>> On 16/04/13 23:12, Doug Smith wrote:
>>> I like the approach of the Login Security Solution plugin in the way it
>> enforces strong passwords and attempts to track both IPs and logins then do
>> blocking, delays, and password resets.
>>> http://wordpress.org/extend/plugins/login-security-solution/
>>>
>>> This particular distributed attack is mostly probing the user name
>> "admin". It would seem that if a user with that name does not exist (since
>> it's no longer a default) then the attempt could instantly be treated in
>> the way the Login Security Solution plugin does but without waiting for
>> repeated attempts. The delays would at least slow the attempts looking for
>> an "admin" user.
>>> Doug
>>>
>>> On Apr 16, 2013, at 10:39 AM, wp-hackers-request at lists.automattic.comwrote:
>>>
>>>> Message: 5
>>>> Date: Tue, 16 Apr 2013 11:39:48 -0400
>>>> From: Chip Bennett <chip at chipbennett.net>
>>>> Subject: Re: [wp-hackers] Limit Login Attempts
>>>> To: "[wp-hackers]" <wp-hackers at lists.automattic.com>
>>>> Message-ID:
>>>> <CAPdLKqd21azx7AA68mTgZ=r=AcoaXyZ+HAMri+pSjVn-jMS0=
>> Q at mail.gmail.com>
>>>> Content-Type: text/plain; charset=ISO-8859-1
>>>>
>>>> "Does that overlook something important?"
>>>>
>>>> Well, unless you whitelist your own IP address to bypass the login
>> lockout,
>>>> then if the brute-force attack attacks your actual username, you could
>> find
>>>> yourself locked out of your own site.
>>>>
>>>> Another solution is to .htaccess whitelist your own IP address for
>>>> wp-login.php, but that may not exactly be a low-maintenance solution
>>>> (dynamic IP addresses, logging in from multiple locations/IP
>>>> addresses/devices, etc.).
>>>>
>>>>
>>>> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
>>>> <onlyunusedname at gmail.com>wrote:
>>>>
>>>>> I've been using something similar to what Jesse describes: limiting
>>>>> attempts based on username so that I may disregard IP. Does that
>> overlook
>>>>> something important?
>>> --
>>> Doug Smith: doug at smithsrus.com
>>> http://smithsrus.com
>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list