[wp-hackers] Author URLs expose usernames
mjsafoxy at gmail.com
Thu Jul 19 08:51:39 UTC 2012
I still don't fully understand why we cant use captchas? Thus eliminating
the most bots (aside from very specialised targeted ones) and meaning the
user doesn't get 'locked out'.
An entirely hypothetical suggestion could be using a OAuth "Login with
Twitter" or "Connect with Facebook", this would outsource the protection to
a entity who has the economic/technical ability to subsidise such
bruteforce attacks, although I can fully understand the other concerns with
using 3rd party closed-source APIs for security. :p Perhaps a decentralised
Wordpress login/admin protection tool, which would also provide SSL for
people who can't be asked to install their own certificate?
Anyway, I still maintain CloudFlare Free + ReCaptcha.
On 19 July 2012 10:40, Rob Miller <rob at bigfish.co.uk> wrote:
> On Thursday, 19 July 2012 at 09:26, Otto wrote:
> > But putting something into core to address brute force attacks won't
> > work either, because this is fundamentally something that shouldn't
> > happen at the WordPress level.
> I disagree, for whatever it's worth; the vast majority of WordPress's
> audience, and certainly the ones who are most likely to choose
> brute-forceable passwords — the low-hanging fruit, I guess — aren't going
> to be aware of this as a problem. I don't see how it can hurt, even if
> there is or should be DOS protection at an ISP level, to implement some
> kind of login throttling with sensible defaults (that is, defaults that err
> on the side of false negatives).
> Rob Miller
> Head of Digital
> big fish®
> 11 Chelsea Wharf
> 15 Lots Road
> SW10 0QJ
> Office number: +44 (0)20 7795 0075
> Direct number: +44 (0)20 7376 6799
> www.bigfish.co.uk (http://www.bigfish.co.uk/)
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers