[wp-hackers] Limit Login Attempts

Marko Heijnen mailing at markoheijnen.nl
Tue Apr 16 20:07:58 UTC 2013 

Awesome Vid for your reaction. Hosting companies like yours does help to have insights in this kind of things.

I do like point 2 in a way. I did copy/paste the list from WP Engine and modify it to nginx rules. And 90.000 IP's doesn't work but blocking the top 50 does help.
For 3 it can be more feasible if you only do that for wp-login.php but I do get what you mean. It's a pain.

I'm not sure what the code is behind 2 factor authentication but it's doesn't seem feasible for the regular website's but yes on the bigger sites it is the way to go.

Marko


Op 16 apr. 2013, om 21:56 heeft Vid Luther <vid at zippykid.com> het volgende geschreven:

> As a hosting provider, here's our take on things.. we'd love your feedback.
> 
> 1. Having dictionary based passwords is a very good way to get in, these
> bots can sometimes guess the right password on the first hit, if that
> happens, a "brute force detector" is useless.
> 
> 2. In theory, as a hosting provider, we would love a way to share the
> offending ips across our sites and with other providers. Maintaining the
> accuracy of this list is daunting, and something we're understaffed to do.
> 
> 3. Blocking 90,000 ips is not feasible. Currently we're handling 250,000
> connections/second. Each connection being pre-approved will kill our edge
> devices. Now, compare that to Automattic, or the larger providers like
> Hostgator/GoDaddy etc.. it's just something that's not feasible.
> 
> 4. We don't use apache, so all these plugins that use .htaccess are useless
> on our systems.
> 
> 
> I personally think 2 factor authentication is where we need to move. It's
> going to be a pain to educate the layman about it, but it is possible, and
> we should. The websites we host at zippyKid are business websites, most of
> these businesses deploy an alarm on premise, why they wouldn't or shouldn't
> on their own website is beyond me. Trying to make WordPress login more
> "secure" is pointless. We need to make more educated users.
> 
> 
> 
> 
> On Tue, Apr 16, 2013 at 2:37 PM, William P. Davis <will.davis at gmail.com>wrote:
> 
>> +1 for something that immediately regards user as suspicious if they're
>> probing an admin user that doesn't exist.
>> Sent from my BlackBerry
>> 
>> -----Original Message-----
>> From: Abdussamad Abdurrazzaq <abdussamad at abdussamad.com>
>> Sender: wp-hackers-bounces at lists.automattic.com
>> Date: Wed, 17 Apr 2013 00:25:03
>> To: <wp-hackers at lists.automattic.com>
>> Reply-To: wp-hackers at lists.automattic.com
>> Subject: Re: [wp-hackers] Limit Login Attempts
>> 
>> Delaying response times would lock up Apache processes that could be
>> used to serve other requests. It is likely to back fire on you.
>> 
>> On 16/04/13 23:12, Doug Smith wrote:
>>> I like the approach of the Login Security Solution plugin in the way it
>> enforces strong passwords and attempts to track both IPs and logins then do
>> blocking, delays, and password resets.
>>> http://wordpress.org/extend/plugins/login-security-solution/
>>> 
>>> This particular distributed attack is mostly probing the user name
>> "admin". It would seem that if a user with that name does not exist (since
>> it's no longer a default) then the attempt could instantly be treated in
>> the way the Login Security Solution plugin does but without waiting for
>> repeated attempts. The delays would at least slow the attempts looking for
>> an "admin" user.
>>> 
>>> Doug
>>> 
>>> On Apr 16, 2013, at 10:39 AM, wp-hackers-request at lists.automattic.comwrote:
>>> 
>>>> Message: 5
>>>> Date: Tue, 16 Apr 2013 11:39:48 -0400
>>>> From: Chip Bennett <chip at chipbennett.net>
>>>> Subject: Re: [wp-hackers] Limit Login Attempts
>>>> To: "[wp-hackers]" <wp-hackers at lists.automattic.com>
>>>> Message-ID:
>>>>     <CAPdLKqd21azx7AA68mTgZ=r=AcoaXyZ+HAMri+pSjVn-jMS0=
>> Q at mail.gmail.com>
>>>> Content-Type: text/plain; charset=ISO-8859-1
>>>> 
>>>> "Does that overlook something important?"
>>>> 
>>>> Well, unless you whitelist your own IP address to bypass the login
>> lockout,
>>>> then if the brute-force attack attacks your actual username, you could
>> find
>>>> yourself locked out of your own site.
>>>> 
>>>> Another solution is to .htaccess whitelist your own IP address for
>>>> wp-login.php, but that may not exactly be a low-maintenance solution
>>>> (dynamic IP addresses, logging in from multiple locations/IP
>>>> addresses/devices, etc.).
>>>> 
>>>> 
>>>> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
>>>> <onlyunusedname at gmail.com>wrote:
>>>> 
>>>>> I've been using something similar to what Jesse describes: limiting
>>>>> attempts based on username so that I may disregard IP.  Does that
>> overlook
>>>>> something important?
>>> 
>>> --
>>> Doug Smith: doug at smithsrus.com
>>> http://smithsrus.com
>>> 
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>> 
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> 
> 
> 
> 
> -- 
> Vid Luther
> CEO and Founder
> ZippyKid
> Managed Wordpress Hosting
> http://zippykid.com/
> 210-789-0369
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list