[wp-hackers] Securing Wordpress Login

Jeff Minard jeff at jrm.cc
Tue Aug 22 17:34:50 GMT 2006


Robert Deaton wrote:
> And someone who wants to stop you from using your blog just issues a
> login attempt with your username every 19 seconds, and you're locked
> out.

I agree. It seems stupid to punish the user's account for the actions of
a would be hacker.

I'd much rather see the IP logged three times, and then simply blocked.
This would eliminate a lot of the db overhead of locking an account and
continuing to check it each time. Log the attempts, grab some data about
it and keep it around.

Just block the offending IP and be on with life. Not sure how you handle
a very advanced cracker, ie, one that uses multiple IP's.


-- 
/\_Jeff Minard_____________________________________
\/ http://jrm.cc/ http://bf2s.com/ http://cnet.com/


More information about the wp-hackers mailing list