[wp-hackers] Securing Wordpress Login
Rob Miller
r at robm.me.uk
Tue Aug 22 17:56:24 GMT 2006
Jeff Minard wrote:
> Robert Deaton wrote:
>
>> And someone who wants to stop you from using your blog just issues a
>> login attempt with your username every 19 seconds, and you're locked
>> out.
>>
>
> I agree. It seems stupid to punish the user's account for the actions of
> a would be hacker.
>
> I'd much rather see the IP logged three times, and then simply blocked.
> This would eliminate a lot of the db overhead of locking an account and
> continuing to check it each time. Log the attempts, grab some data about
> it and keep it around.
>
> Just block the offending IP and be on with life. Not sure how you handle
> a very advanced cracker, ie, one that uses multiple IP's.
>
>
>
By telling people their passwords are weak in the admin interface, and
if they get compromised after that saying "well, you should have had a
strong password like we advised".
There's only so much that is WordPress's responsibility here.
--
Rob Miller
http://robm.me.uk/ | http://kantian.co.uk/
More information about the wp-hackers
mailing list