[wp-hackers] Securing Wordpress Login

[Jeff Minard]

Brian Layman wrote:
> Blocking IPs simply doesn't work for the real buggers out there. I know from
> doing admin stuff, from FileFront's GamingForums, that too often you have
> both good and bad users on an ISP with shared IP pools.  You can't ban just
> one IP when dealing with dynamic IP addresses, because the user will just
> reboot their router and have a new ip address and a good user might get that
> "bad" ip address next the next day.  And you equally can't ban the range
> because you have good users in that range.  You might be willing to block
> out a large chunk of a city for a smaller blog (I think I am still blocking
> all Tampa Bay TimeWarner Cable customers on one site), but not for a larger
> one.  

Woah, woah.

We're not talking about blacklisting an IP from the whole site. The
topic was about stopping a bad user from running a dictionary attack
against the wp-login page.

An IP ban, even on a block, is perfectly acceptable. You're only
blocking the login page, and it would only be for a, what, few hours?
Rinse repeat till the "wannabe" gets lost.

Believe me, I know that method has holes. Spoofed IPs, multi-ip attack
bots, rolling ips, etc. But at that point, your not dealing with the
original threat (and I quoteth) "some punk that loves to cause problems".

I am of the mind, however, that anything more advanced then a simple
brute is beyond the scope of what wordpress could (or should) be
designed to handle (especially in shared host environments where load is
an issue).



I DO agree that having a password "strength" indicator would be a great
core feature -- consider it a live version of the typical (?) link that
says "use gud passwurds".



-- 
/\_Jeff Minard_____________________________________
\/ http://jrm.cc/ http://bf2s.com/ http://cnet.com/