[wp-hackers] Securing Wordpress Login

Robert Deaton false.hopes at gmail.com
Tue Aug 22 02:57:59 GMT 2006


On 8/20/06, Brian Layman <Brian at thecodecave.com> wrote:
> don't think I'd use it with the PW verification script external to the
> site.  I think (hope) that's in there as it is just so that he can make
> on-going improvements during the debugging stage without having to
> release the plugin over and over.  I don't think people will like
> clearing all of their passwords via plain text through a single external
> site, no matter whose site it is. But it does make a lot of sense to
> debug a plugin that is still under development in this fashion.

Actually, its there because the external script uses a PHP extension
written in C which I can't rely on being installed on the users
server. I thought about reimplementing libcrack in PHP, but ultimately
PHP is far too slow and bundling the amount of dictionaries I use to
check the passwords wasn't an option. I know some people won't want to
send their passwords plaintext to my server, and that's why there is
an option to disable it. But for those who reason that there is easily
enough personal information about me on the internet that they could
come to my house and beat the living crap out of me if I ever misused
that script to steal their password, there shouldn't be much issue
leaving it on.


-- 
--Robert Deaton


More information about the wp-hackers mailing list