[wp-hackers] Limit Login Attempts

Marko Heijnen mailing at markoheijnen.nl
Tue Apr 16 20:11:37 UTC 2013


I agree on the best practices except the admin usernames. It's Idiotic to have an admin name as Marko1321more23421weird.

Marko

Op 16 apr. 2013, om 22:01 heeft Jesse Friedman <highfive at jesserfriedman.com> het volgende geschreven:

> Right now you can get confirmation from WordPress that an admin username
> exists simply by going to the forgotten password screen. It will literally
> tell you, if you don't have the right username, when you finally do, it
> will confirm that an email has been sent.
> 
> That should be fixed
> 
> I tell clients, colleagues and students to employ best practices like:
> 
>   - never publishing content with a roll greater than author
>   - admin usernames should be far more difficult than a typical username
>   (ie. j4Friedman49)
>   - passwords should be 10 characters long, uppercase, lowercase, numbers
>   and characters
> 
> Those best practices, combined with functionality that simply presents
> captcha based on too many attempts whether it is IP or username based will
> fix everything.
> 
> Jesse
> 
> 
> On Tue, Apr 16, 2013 at 3:48 PM, Ian Dunn <ian at iandunn.name> wrote:
> 
>> PHP has levenshtein() and similar_text() to calculate how closely related
>> tow strings are to each other.
>> 
>> http://php.net/manual/en/**function.levenshtein.php<http://php.net/manual/en/function.levenshtein.php>
>> http://www.php.net/manual/en/**function.similar-text.php<http://www.php.net/manual/en/function.similar-text.php>
>> 
>> 
>> 
>> On 04/16/2013 12:43 PM, Michael Donaghy wrote:
>> 
>>> Agreed.  In fact, suspicious if the user doesn't exist all together. Could
>>> be troublesome for some who accidentally enters in a username wrong, but
>>> maybe there can be a way out of that use case.
>>> 
>>> 
>>> On Tue, Apr 16, 2013 at 3:37 PM, William P. Davis <will.davis at gmail.com
>>>> wrote:
>>> 
>>> +1 for something that immediately regards user as suspicious if they're
>>>> probing an admin user that doesn't exist.
>>>> Sent from my BlackBerry
>>>> 
>>>> -----Original Message-----
>>>> From: Abdussamad Abdurrazzaq <abdussamad at abdussamad.com>
>>>> Sender: wp-hackers-bounces at lists.**automattic.com<wp-hackers-bounces at lists.automattic.com>
>>>> Date: Wed, 17 Apr 2013 00:25:03
>>>> To: <wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>>> 
>>>> Reply-To: wp-hackers at lists.automattic.**com<wp-hackers at lists.automattic.com>
>>>> Subject: Re: [wp-hackers] Limit Login Attempts
>>>> 
>>>> Delaying response times would lock up Apache processes that could be
>>>> used to serve other requests. It is likely to back fire on you.
>>>> 
>>>> On 16/04/13 23:12, Doug Smith wrote:
>>>> 
>>>>> I like the approach of the Login Security Solution plugin in the way it
>>>>> 
>>>> enforces strong passwords and attempts to track both IPs and logins then
>>>> do
>>>> blocking, delays, and password resets.
>>>> 
>>>>> http://wordpress.org/extend/**plugins/login-security-**solution/<http://wordpress.org/extend/plugins/login-security-solution/>
>>>>> 
>>>>> This particular distributed attack is mostly probing the user name
>>>>> 
>>>> "admin". It would seem that if a user with that name does not exist
>>>> (since
>>>> it's no longer a default) then the attempt could instantly be treated in
>>>> the way the Login Security Solution plugin does but without waiting for
>>>> repeated attempts. The delays would at least slow the attempts looking
>>>> for
>>>> an "admin" user.
>>>> 
>>>>> Doug
>>>>> 
>>>>> On Apr 16, 2013, at 10:39 AM, wp-hackers-request at lists.**
>>>>> automattic.comwrote:
>>>>> 
>>>>> Message: 5
>>>>>> Date: Tue, 16 Apr 2013 11:39:48 -0400
>>>>>> From: Chip Bennett <chip at chipbennett.net>
>>>>>> Subject: Re: [wp-hackers] Limit Login Attempts
>>>>>> To: "[wp-hackers]" <wp-hackers at lists.automattic.**com<wp-hackers at lists.automattic.com>
>>>>>>> 
>>>>>> Message-ID:
>>>>>>      <CAPdLKqd21azx7AA68mTgZ=r=**AcoaXyZ+HAMri+pSjVn-jMS0=
>>>>>> 
>>>>> Q at mail.gmail.com>
>>>> 
>>>>> Content-Type: text/plain; charset=ISO-8859-1
>>>>>> 
>>>>>> "Does that overlook something important?"
>>>>>> 
>>>>>> Well, unless you whitelist your own IP address to bypass the login
>>>>>> 
>>>>> lockout,
>>>> 
>>>>> then if the brute-force attack attacks your actual username, you could
>>>>>> 
>>>>> find
>>>> 
>>>>> yourself locked out of your own site.
>>>>>> 
>>>>>> Another solution is to .htaccess whitelist your own IP address for
>>>>>> wp-login.php, but that may not exactly be a low-maintenance solution
>>>>>> (dynamic IP addresses, logging in from multiple locations/IP
>>>>>> addresses/devices, etc.).
>>>>>> 
>>>>>> 
>>>>>> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
>>>>>> <onlyunusedname at gmail.com>**wrote:
>>>>>> 
>>>>>> I've been using something similar to what Jesse describes: limiting
>>>>>>> attempts based on username so that I may disregard IP.  Does that
>>>>>>> 
>>>>>> overlook
>>>> 
>>>>> something important?
>>>>>>> 
>>>>>> --
>>>>> Doug Smith: doug at smithsrus.com
>>>>> http://smithsrus.com
>>>>> 
>>>>> ______________________________**_________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>>> 
>>>>> ______________________________**_________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>> ______________________________**_________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>> 
>>>> ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>> 
>> 
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>> 
> 
> 
> 
> -- 
> thanks
> *
> *
> *jesse friedman*
> jes.se.com *
> *
> Book: Web Designers Guide to WordPress -
> http://wdgwp.com/onamazon<http://wdgwp.com/onamazon>
> Twitter: @professor <http://twitter.com/professor>
> Facebook: Like<https://www.facebook.com/pages/Jesse-Friedman/204793299545174>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list