[wp-hackers] Securing Wordpress Login

Rob Miller r at robm.me.uk
Tue Aug 22 17:56:24 GMT 2006

Jeff Minard wrote:
> Robert Deaton wrote:
>> And someone who wants to stop you from using your blog just issues a
>> login attempt with your username every 19 seconds, and you're locked
>> out.
> I agree. It seems stupid to punish the user's account for the actions of
> a would be hacker.
> I'd much rather see the IP logged three times, and then simply blocked.
> This would eliminate a lot of the db overhead of locking an account and
> continuing to check it each time. Log the attempts, grab some data about
> it and keep it around.
> Just block the offending IP and be on with life. Not sure how you handle
> a very advanced cracker, ie, one that uses multiple IP's.
By telling people their passwords are weak in the admin interface, and 
if they get compromised after that saying "well, you should have had a 
strong password like we advised".

There's only so much that is WordPress's responsibility here.

Rob Miller
http://robm.me.uk/ | http://kantian.co.uk/

More information about the wp-hackers mailing list