[wp-hackers] Author URLs expose usernames

Ryan WP Mailing Lists ryan.wpmailinglists at gmail.com
Thu Jul 19 08:15:01 UTC 2012


It wouldn't really tie up pho for 30s unless its coded to wait that long to
respond. Simply error out saying please wait 30s before trying again would
work.
On Jul 19, 2012 1:10 AM, "Andrew Spratley" <aspratley at gmail.com> wrote:

> You'd also tie up you php processes for 30s as well. I could hit your
> site from a collection of IPs and DOS you pretty quickly I'd imagine.
> It's best just to drop their connection either from within WP or
> integrate into iptables/fal2ban or something similar.
>
> On Thu, Jul 19, 2012 at 11:03 AM, Rob Miller <rob at bigfish.co.uk> wrote:
> >
> > On Thursday, 19 July 2012 at 08:52, Andrew Spratley wrote:
> >
> >> Limiting public login attempts (I'd like to see this in core, does the
> >> aforementioned plugin for on Multisite installs?)
> >
> > Even just a delay would be good — where the time taken to process the
> login is (exponentially?) proportional to the number of attempts from that
> IP in the past X hours, making a brute-force attack rapidly impossible.
> >
> > You can imagine how it would work: your first login attempt would
> process in normal time, but the second would take 0.5s, the third 0.75s,
> the fourth 1.1s, etc.; by the time of the tenth attempt, the process might
> take 30 seconds. This way, "legitimate" repeated attempts — someone who
> can't quite remember their password — remain possible, but trying thousands
> of passwords becomes impossible (before the universe dies, anyway).
> >
> > --
> >
> > Rob Miller
> > Head of Digital
> >
> > big fish®
> > 11 Chelsea Wharf
> > 15 Lots Road
> > London
> > SW10 0QJ
> >
> > Office number: +44 (0)20 7795 0075
> > Direct number: +44 (0)20 7376 6799
> >
> > www.bigfish.co.uk (http://www.bigfish.co.uk/)
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list