[wp-hackers] Author URLs expose usernames
aspratley at gmail.com
Thu Jul 19 08:10:14 UTC 2012
You'd also tie up you php processes for 30s as well. I could hit your
site from a collection of IPs and DOS you pretty quickly I'd imagine.
It's best just to drop their connection either from within WP or
integrate into iptables/fal2ban or something similar.
On Thu, Jul 19, 2012 at 11:03 AM, Rob Miller <rob at bigfish.co.uk> wrote:
> On Thursday, 19 July 2012 at 08:52, Andrew Spratley wrote:
>> Limiting public login attempts (I'd like to see this in core, does the
>> aforementioned plugin for on Multisite installs?)
> Even just a delay would be good — where the time taken to process the login is (exponentially?) proportional to the number of attempts from that IP in the past X hours, making a brute-force attack rapidly impossible.
> You can imagine how it would work: your first login attempt would process in normal time, but the second would take 0.5s, the third 0.75s, the fourth 1.1s, etc.; by the time of the tenth attempt, the process might take 30 seconds. This way, "legitimate" repeated attempts — someone who can't quite remember their password — remain possible, but trying thousands of passwords becomes impossible (before the universe dies, anyway).
> Rob Miller
> Head of Digital
> big fish®
> 11 Chelsea Wharf
> 15 Lots Road
> SW10 0QJ
> Office number: +44 (0)20 7795 0075
> Direct number: +44 (0)20 7376 6799
> www.bigfish.co.uk (http://www.bigfish.co.uk/)
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers