[wp-hackers] Securing Wordpress Login

Jamie Holly hovercrafter at earthlink.net
Mon Aug 21 14:33:56 GMT 2006

> It took me a while to find it, but this was discussed in this list before.

> http://comox.textdrive.com/pipermail/wp-hackers/2005-December/003385.html

> This large thread had quite a few solutions proposed, but I don't  
> think any was incorporated into the release (2.0) at the end.

I'll take a look through that. Thanks for digging it up.

> Upon first inspection, this would raise concerns among the blind (see
> below).

Actually the sites I have done this on, this is not a concern. The only
people who login are people who write for the sites. I can see where this
would be a concern on a larger/open audience though. I also try to go with
high contrast CAPTCHA's that use larger point sizes and don't warp/rotate
the letters at all (like many of the other captcha systems do). This makes
it more open to OCR, but I doubt that is as much of a concern.

>The  one  issue  with this is that it opens  the  system  to
>account-targetted   vandalism.  Someone  can  affect   one's
>account  and  cause  great inconvenience. Since It's  not  a
>brute-force-type  attack, it will probably be less tolerable
>then DDOS attacks on the login page, which at the very worst
>lead  to problems in the database or bring down the  server.
>You  wouldn't  want  Senator Gore with  his  20-buck-a-month
>hosting relying on this... *LOL*

That's why I was figuring something like after 5 failed attempts; Wordpress
changes the password using the default password generator (which is actually
decent). After they hit that magic number, the password would only change
once (instead of someone doing 10,000 login attempts and that person ending
up with 2,000 password emails LOL). The other option would be to email some
sort of activation link, but then you get into the problem of the email not
going through (something rather common on crappy shared hosting).

And actually that was Senator Lieberman on his $15/month shared hosting that
was actually coming off a reseller account with 73 other sites on a single
server and wondering why it went down after a night of running two-minute
television ads with his URL at the bottom LOL. 

Jamie Holly

More information about the wp-hackers mailing list