[wp-hackers] Securing Wordpress Login

Jamie Holly hovercrafter at earthlink.net
Mon Aug 21 13:05:49 GMT 2006

I had to go through this a couple of times on sites I administer. The
problem is you get some punk that loves to cause problems who decides to try
and brute force a login by running a dictionary file against the password
and login information to gain access to Wordpress. Sometimes trying to
explain to people that making up a random password consisting of upper and
lower case letters along with numbers just doesn't get through. I have ended
up hacking wp-login.php on these sites to include a CAPTCHA with every


I was wondering what everyone thought about adding something similar to the
core. It could even be modified to be similar to the way Yahoo works it,
where you get X amount of failed attempts and after that you are forced to
using the CAPTCHA.


Another option would be to have Wordpress reset the user's password after X
number of failed login attempts. This would be more ideal for people who are
hosted on companies that do not have GDImage enabled in PHP. Of course we
could make it customizable through the admin options:

-          Enable login security

-          Number of failed login attempts before invoking security

-          Security method: Password reset  or CAPTCHA


Considering the growing popularity of Wordpress and the increased use on
political sites, which are high targets for these attacks, I feel that
increasing security on the login would be highly welcomed. 


Jamie Holly



More information about the wp-hackers mailing list