[wp-hackers] Author URLs expose usernames

Rob Miller rob at bigfish.co.uk
Thu Jul 19 08:38:05 UTC 2012

On Thursday, 19 July 2012 at 09:10, Andrew Spratley wrote:

> You'd also tie up you php processes for 30s as well. I could hit your
> site from a collection of IPs and DOS you pretty quickly I'd imagine.
> It's best just to drop their connection either from within WP or
> integrate into iptables/fal2ban or something similar.

The point of this approach is usually to avoid showing a message to the user or to in any way actually *block* the attempt, but rather just to increase the amount of time taken to achieve it — similar to the philosophy used by hashing schemes like bcrypt with their concept of "work".

That way, if it *is* a legitimate user, who really does take ten attempts to remember their password, they're never blocked (and therefore never need manual intervention to unblock); they just have to wait a bit longer for the login to process.

But yes, as Andrew points out, you're opening yourself up to a DOS since it becomes trivial to get all of your Apache/php-fpm processes tied up at once, which means any new requests would be denied. So it's unfortunately not viable, as perhaps elegant as it would be.  


Rob Miller
Head of Digital

big fish®
11 Chelsea Wharf
15 Lots Road
SW10 0QJ
Office number: +44 (0)20 7795 0075
Direct number: +44 (0)20 7376 6799

www.bigfish.co.uk (http://www.bigfish.co.uk/)

More information about the wp-hackers mailing list