[wp-hackers] Securing Wordpress Login

Brian Layman Brian at TheCodeCave.com
Sun Aug 20 17:57:22 GMT 2006


> Changing the person's password after X number of tries might not work
if the password 
> is changed to something that is coming up on the crackers list of
passwords. 
I'm pretty sure the implementation woudn't reset the password to a
known/predictable preset password.  It would be "randomly" generated
like the current user's initial password is.  As long as it isn't
generated off of a predictible event, like seconds past the minute or
something like that, we'd be pretty safe.


> I can't imagine WP doing any of these things.  
> Something like that should probably be a plugin.
It does make some sense for this to be a plugin, as everybody obviously
has different ideas about what is "secure".  Please see Robert's earlier
post with the plugin he created.
"This plugin will allow you to do password strength checks on your users
and have them be required to update their password every x
(configurable) number of days, as well as a few other nice password
related security-enhancing features. I haven't yet released this, but I
likely will later this week.

Here's a preview of the admin page: http://lushlab.com/tmp/mpws.png
Here's the zip: http://lushlab.com/tmp/mpws.zip"

It seems to do a fairly good job of putting it all in place, though I
don't think I'd use it with the PW verification script external to the
site.  I think (hope) that's in there as it is just so that he can make
on-going improvements during the debugging stage without having to
release the plugin over and over.  I don't think people will like
clearing all of their passwords via plain text through a single external
site, no matter whose site it is. But it does make a lot of sense to
debug a plugin that is still under development in this fashion. 

I do particularly like the layout of the config screen.  It's simple and
straight forward.

It seems to have a good framework.  It would be really nice if it also
incorporated the N Tries and you're CAPTCHAed technique as an option.
Everyone seems to like that option and it continues to allow the
handicapped the normal option to login and I assume reset their password
instead of using captcha.  




More information about the wp-hackers mailing list