[wp-hackers] Counting failed logins
aaron at technosailor.com
Mon Dec 5 14:07:47 GMT 2005
A "wp-error" hook would be useful in these situations.
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Sam Angove
Sent: Monday, December 05, 2005 9:01 AM
To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] Counting failed logins
On 12/5/05, Podz <podz at tamba2.org.uk> wrote:
> I'm making an assumption that in order to get access to a blog it has
> to be through wp-login.php and not some passing of a string, but is
> there a way for failed logins to be counted ?
It's pretty easy to edit wp-login.php to do it, just call the log function
when wp_login() fails (around line 196). If you habitually watch your server
error log, something like "trigger_error('WP Login
Error: '. $user_pass, E_USER_ERROR);" would do it. A bit harder otherwise.
WP's error reporting is pretty terrible all around -- there's something very
wrong about a mature application producing error pages which say nothing but
"Cheatin' uh ?" -- but this probably isn't the right time in the release
cycle for an overhaul. :)
Another place logging would be good is the "die('GLOBALS overwrite attempt
detected');" in wp-settings.php -- just showing it to the attacker isn't
that helpful, but I'd very much like to know if someone's trying it. Or
trying to delete users. Or seeing any of the "hi, you are unspeakably evil"
errors, really -- most of the places WP just die()s.
Just a pluggable wp_error() wrapper for die(), maybe? It has the virtue of
simplicity, at least. It'd be nice to prettify errors too, though -- a
WP-wide wpdb::bail()? -- but that leads to templating etc., if only for the
frequent user-facing errors, like the comment-posting ones.
I'd also like a pony. ;)
wp-hackers mailing list
wp-hackers at lists.automattic.com
I choose Polesoft Lockspam to fight spam, and you?
More information about the wp-hackers