[wp-hackers] Author URLs expose usernames
rob at bigfish.co.uk
Thu Jul 19 08:03:29 UTC 2012
On Thursday, 19 July 2012 at 08:52, Andrew Spratley wrote:
> Limiting public login attempts (I'd like to see this in core, does the
> aforementioned plugin for on Multisite installs?)
Even just a delay would be good — where the time taken to process the login is (exponentially?) proportional to the number of attempts from that IP in the past X hours, making a brute-force attack rapidly impossible.
You can imagine how it would work: your first login attempt would process in normal time, but the second would take 0.5s, the third 0.75s, the fourth 1.1s, etc.; by the time of the tenth attempt, the process might take 30 seconds. This way, "legitimate" repeated attempts — someone who can't quite remember their password — remain possible, but trying thousands of passwords becomes impossible (before the universe dies, anyway).
Head of Digital
11 Chelsea Wharf
15 Lots Road
Office number: +44 (0)20 7795 0075
Direct number: +44 (0)20 7376 6799
More information about the wp-hackers