[wp-hackers] Author URLs expose usernames

Muhammad Ali mjsafoxy at gmail.com
Thu Jul 19 08:27:44 UTC 2012


I quite like the DDOS/Bruteforce protection tools in CloudFlare. How about
simply just creating a MySQL table with blocked IPs/hostnames with a start
block time. After the user selected time has expiration time has gone the
IP row will be dropped from the database, else if a login (or perhaps even
any load of the wp-load.php file) is attempted form that IP, a 'connection
refused by host' header will be sent and the script will then just die.

On 19 July 2012 10:15, Ryan WP Mailing Lists
<ryan.wpmailinglists at gmail.com>wrote:

> It wouldn't really tie up pho for 30s unless its coded to wait that long to
> respond. Simply error out saying please wait 30s before trying again would
> work.
> On Jul 19, 2012 1:10 AM, "Andrew Spratley" <aspratley at gmail.com> wrote:
>
> > You'd also tie up you php processes for 30s as well. I could hit your
> > site from a collection of IPs and DOS you pretty quickly I'd imagine.
> > It's best just to drop their connection either from within WP or
> > integrate into iptables/fal2ban or something similar.
> >
> > On Thu, Jul 19, 2012 at 11:03 AM, Rob Miller <rob at bigfish.co.uk> wrote:
> > >
> > > On Thursday, 19 July 2012 at 08:52, Andrew Spratley wrote:
> > >
> > >> Limiting public login attempts (I'd like to see this in core, does the
> > >> aforementioned plugin for on Multisite installs?)
> > >
> > > Even just a delay would be good — where the time taken to process the
> > login is (exponentially?) proportional to the number of attempts from
> that
> > IP in the past X hours, making a brute-force attack rapidly impossible.
> > >
> > > You can imagine how it would work: your first login attempt would
> > process in normal time, but the second would take 0.5s, the third 0.75s,
> > the fourth 1.1s, etc.; by the time of the tenth attempt, the process
> might
> > take 30 seconds. This way, "legitimate" repeated attempts — someone who
> > can't quite remember their password — remain possible, but trying
> thousands
> > of passwords becomes impossible (before the universe dies, anyway).
> > >
> > > --
> > >
> > > Rob Miller
> > > Head of Digital
> > >
> > > big fish®
> > > 11 Chelsea Wharf
> > > 15 Lots Road
> > > London
> > > SW10 0QJ
> > >
> > > Office number: +44 (0)20 7795 0075
> > > Direct number: +44 (0)20 7376 6799
> > >
> > > www.bigfish.co.uk (http://www.bigfish.co.uk/)
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list