[wp-hackers] Securing Wordpress Login

Jamie Holly hovercrafter at earthlink.net
Tue Aug 22 19:49:36 GMT 2006


That would be the big problem on IP blocking. AOL uses proxies and there are
still a lot of people who consider them an actual ISP lol.

Perhaps a notification of failed login attempts via email would be the way
to go. It atleast gives a heads up that someone is screwing around. I
wouldn't mind seeing a feature that invokes password checking. Something
could possibly be written in javascript using regular expressions to check
and see if they have a combination of upper and lower case characters along
with numbers/punctuation to make the login more secure. Just a simple
indicator that goes from like red to yellow to green or low/medium/high as
they type in the password. People who have admin or editor access should be
aware to make their passwords follow a stricter guideline (or at least have
the common sense). Authors and below aren't quiet as bad as they have
limited access as it is.

Jamie Holly
http://www.intoxination.net

-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Brian Layman
Sent: Tuesday, August 22, 2006 2:30 PM
To: wp-hackers at lists.automattic.com
Subject: RE: [wp-hackers] Securing Wordpress Login

>Just block the offending IP and be on with life. Not sure how 
>you handle a very advanced cracker, ie, one that uses multiple IP's.

Blocking IPs simply doesn't work for the real buggers out there. I know from
doing admin stuff, from FileFront's GamingForums, that too often you have
both good and bad users on an ISP with shared IP pools.  You can't ban just
one IP when dealing with dynamic IP addresses, because the user will just
reboot their router and have a new ip address and a good user might get that
"bad" ip address next the next day.  And you equally can't ban the range
because you have good users in that range.  You might be willing to block
out a large chunk of a city for a smaller blog (I think I am still blocking
all Tampa Bay TimeWarner Cable customers on one site), but not for a larger
one.  

Besides, there are too many anonymous proxy engines out there.  And THEN you
get into the topic of using DNSBLs to block logins from anonymized IP
addresses.  That's a tough row to ho.  DNSBL blocked comments eventually
grew into Akismet!




_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list