[wp-hackers] Securing Wordpress Login

Jamie Holly hovercrafter at earthlink.net
Mon Aug 21 14:20:50 GMT 2006

There are hooks on the wp-login.php page, but going your route would
actually rely on hooking into the profile page since that is where passwords
are changed. Wordpress actually does a good job at generating the random
password when you first register so you wouldn't need to check there.

This would also be a working solution (I know some forum software uses this
same type of check). 

The other option would be to generate a plugin to invoke the captcha or
retry system and possibly distribute it with the core Wordpress just as an
option for people to secure their sites a little more.

Jamie Holly

-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Brian Layman
Sent: Monday, August 21, 2006 9:52 AM
To: wp-hackers at lists.automattic.com
Subject: RE: [wp-hackers] Securing Wordpress Login

>Another option would be to have WordPress reset the user's password after 
>X number of failed login attempts.

I've always thought that this leads to a great attack vector: Invalidating a
small percentage of users passwords every other day.  Annoying the
membership of a site, rather than the site itself, could accomplish more
than a 1 time brute force break in with a lot less effort.  

Personally, I'd rather not see "retries" in the core, at least not on by
default.  I would advocate a "strong password" option that just checks for
length, and three out of the following four categories, when the password is
1. Upper case letters
2. Lower case letters
3. Numbers
4. Symbols/punctuation

Is the login screen pluggable? I've never looked... 

wp-hackers mailing list
wp-hackers at lists.automattic.com

More information about the wp-hackers mailing list