[wp-hackers] Securing Wordpress Login

Brian Layman Brian at TheCodeCave.com
Mon Aug 21 13:52:06 GMT 2006

>Another option would be to have WordPress reset the user's password after 
>X number of failed login attempts.

I've always thought that this leads to a great attack vector: Invalidating a
small percentage of users passwords every other day.  Annoying the
membership of a site, rather than the site itself, could accomplish more
than a 1 time brute force break in with a lot less effort.  

Personally, I'd rather not see "retries" in the core, at least not on by
default.  I would advocate a "strong password" option that just checks for
length, and three out of the following four categories, when the password is
1. Upper case letters
2. Lower case letters
3. Numbers
4. Symbols/punctuation

Is the login screen pluggable? I've never looked... 

More information about the wp-hackers mailing list