[wp-hackers] Counting failed logins

Sam Angove sam at rephrase.net
Mon Dec 5 14:01:14 GMT 2005

On 12/5/05, Podz <podz at tamba2.org.uk> wrote:
> I'm making an assumption that in order to get access to a blog it has to
> be through wp-login.php and not some passing of a string, but is there a
> way for failed logins to be counted ?

It's pretty easy to edit wp-login.php to do it, just call the log
function when wp_login() fails (around line 196). If you habitually
watch your server error log, something like "trigger_error('WP Login
Error: '. $user_pass, E_USER_ERROR);" would do it. A bit harder

WP's error reporting is pretty terrible all around -- there's
something very wrong about a mature application producing error pages
which say nothing but "Cheatin' uh ?" -- but this probably isn't the
right time in the release cycle for an overhaul. :)

Another place logging would be good is the "die('GLOBALS overwrite
attempt detected');" in wp-settings.php -- just showing it to the
attacker isn't that helpful, but I'd very much like to know if
someone's trying it. Or trying to delete users. Or seeing any of the
"hi, you are unspeakably evil" errors, really -- most of the places WP
just die()s.

Just a pluggable wp_error() wrapper for die(), maybe? It has the
virtue of simplicity, at least. It'd be nice to prettify errors too,
though -- a WP-wide wpdb::bail()? -- but that leads to templating
etc., if only for the frequent user-facing errors, like the
comment-posting ones.

I'd also like a pony. ;)

More information about the wp-hackers mailing list