[wp-testers] WordPress 2.0.1 Remote DoS Exploit?
dougal at gunters.org
Fri Mar 10 18:16:54 GMT 2006
Owen Winkler wrote:
> Dougal Campbell wrote:
>> As others have already pointed out, rate-limiting registrations by IP
>> number won't help when attackers switch to a distributed attack. And
>> besides, not many sites really *need* to have open registration. For
>> those that do, protection can be adding by plugins using the
>> user_register API hook. I wonder if the Akismet plugin could even be
>> brought into play here? That might be an interesting extension.
> I think user_register happens after a registration is committed to the
> database. Minor point, but there isn't a nice, clean hook for generic
> registration filtering.
Even with the hook happening after the db commit, it still gives an
opportunity to monitor and limit unwanted activity. For instance, after
writing the info, a plugin could save the client IP number (or any other
info it wanted to check), and then check for patterns that indicate
abuse, and make appropriate countermeasures (3 registrations from the
same IP in the last hour? Delete them all!).
> steve caturan wrote:
>> i think a plugin to enable/disable Captcha for wp-register.php would
>> be a good deterrent. is that feasible or will that require a major
>> tweak in core?
> It would not take a major tweak in the core, but a couple of better
> placed hooks would make it easier.
Yes, some new action & filter hooks that occur before the info is
committed would probably be useful.
Dougal Campbell <dougal at gunters.org>
More information about the wp-testers