[wp-trac] [WordPress Trac] #24193: Anti brute force protection
WordPress Trac
noreply at wordpress.org
Tue Apr 1 03:51:36 UTC 2014
#24193: Anti brute force protection
-------------------------+-----------------------
Reporter: MAzZY | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone:
Component: Users | Version: 3.5.1
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
-------------------------+-----------------------
Comment (by knutsp):
The protection must be both per IP and per username.
The default limit must be fairly high, like at least 10 attempts
(filterable, of course)
A block on username should cause a email to be sent to the user, allowing
to unblock and login once again (using a secret key in the url), or
request changing the password.
It's important that a legitimate user may not be blocked by others
attacking he account using his/her username. But we have the stored email
address and the ability to send an email.
A "last successful login IP" could also be stored for every login, as a
one-or-few-item whitelist for each user.
There is no need to save all the failed login attempts. What is needed is
the number of failed attempts, for a while, maybe is an incremented
number. Any successful login should delete the log for both IP and user.
I am quite sure we can work this out!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24193#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list