[wp-hackers] Author URLs expose usernames

Ryan WP Mailing Lists ryan.wpmailinglists at gmail.com
Thu Jul 19 08:08:29 UTC 2012


I tunic that is a very ellegant way to do so without outright blocking
accounts as admins on blogs generally won't want to deal with unblocking a
user and any case where that is desired can be handled by a plugin. I do
like the idea of implimenting this in core.

Would this be done at a user level or ip level or both?
On Jul 19, 2012 1:03 AM, "Rob Miller" <rob at bigfish.co.uk> wrote:

>
> On Thursday, 19 July 2012 at 08:52, Andrew Spratley wrote:
>
> > Limiting public login attempts (I'd like to see this in core, does the
> > aforementioned plugin for on Multisite installs?)
>
> Even just a delay would be good — where the time taken to process the
> login is (exponentially?) proportional to the number of attempts from that
> IP in the past X hours, making a brute-force attack rapidly impossible.
>
> You can imagine how it would work: your first login attempt would process
> in normal time, but the second would take 0.5s, the third 0.75s, the fourth
> 1.1s, etc.; by the time of the tenth attempt, the process might take 30
> seconds. This way, "legitimate" repeated attempts — someone who can't quite
> remember their password — remain possible, but trying thousands of
> passwords becomes impossible (before the universe dies, anyway).
>
> --
>
> Rob Miller
> Head of Digital
>
> big fish®
> 11 Chelsea Wharf
> 15 Lots Road
> London
> SW10 0QJ
>
> Office number: +44 (0)20 7795 0075
> Direct number: +44 (0)20 7376 6799
>
> www.bigfish.co.uk (http://www.bigfish.co.uk/)
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list