[wp-hackers] Author URLs expose usernames

Rob Miller rob at bigfish.co.uk
Thu Jul 19 08:03:29 UTC 2012

On Thursday, 19 July 2012 at 08:52, Andrew Spratley wrote:

> Limiting public login attempts (I'd like to see this in core, does the
> aforementioned plugin for on Multisite installs?)

Even just a delay would be good — where the time taken to process the login is (exponentially?) proportional to the number of attempts from that IP in the past X hours, making a brute-force attack rapidly impossible.

You can imagine how it would work: your first login attempt would process in normal time, but the second would take 0.5s, the third 0.75s, the fourth 1.1s, etc.; by the time of the tenth attempt, the process might take 30 seconds. This way, "legitimate" repeated attempts — someone who can't quite remember their password — remain possible, but trying thousands of passwords becomes impossible (before the universe dies, anyway).  


Rob Miller
Head of Digital

big fish®
11 Chelsea Wharf
15 Lots Road
SW10 0QJ
Office number: +44 (0)20 7795 0075
Direct number: +44 (0)20 7376 6799

www.bigfish.co.uk (http://www.bigfish.co.uk/)

More information about the wp-hackers mailing list