[wp-hackers] Author URLs expose usernames
Rob Miller
rob at bigfish.co.uk
Thu Jul 19 08:38:05 UTC 2012
On Thursday, 19 July 2012 at 09:10, Andrew Spratley wrote:
> You'd also tie up you php processes for 30s as well. I could hit your
> site from a collection of IPs and DOS you pretty quickly I'd imagine.
> It's best just to drop their connection either from within WP or
> integrate into iptables/fal2ban or something similar.
>
>
The point of this approach is usually to avoid showing a message to the user or to in any way actually *block* the attempt, but rather just to increase the amount of time taken to achieve it — similar to the philosophy used by hashing schemes like bcrypt with their concept of "work".
That way, if it *is* a legitimate user, who really does take ten attempts to remember their password, they're never blocked (and therefore never need manual intervention to unblock); they just have to wait a bit longer for the login to process.
But yes, as Andrew points out, you're opening yourself up to a DOS since it becomes trivial to get all of your Apache/php-fpm processes tied up at once, which means any new requests would be denied. So it's unfortunately not viable, as perhaps elegant as it would be.
--
Rob Miller
Head of Digital
big fish®
11 Chelsea Wharf
15 Lots Road
London
SW10 0QJ
Office number: +44 (0)20 7795 0075
Direct number: +44 (0)20 7376 6799
www.bigfish.co.uk (http://www.bigfish.co.uk/)
More information about the wp-hackers
mailing list