[wp-hackers] Author URLs expose usernames

Ryan WP Mailing Lists ryan.wpmailinglists at gmail.com
Thu Jul 19 17:03:16 UTC 2012


I agree and its not that unheard of...for example vbulletin locks you out
for 15minutes if you enter wrong credentials 3 times. Having locked my own
accounts out because I can't remember which password of mine I used on the
site I can say 15 minutes is a little exessive but if after 3 attempts it
locked you out for say 5 minutes then after 3 more attempts 10 minutes
ect... I think that would be good to include in core FWIW.
On Jul 19, 2012 1:41 AM, "Rob Miller" <rob at bigfish.co.uk> wrote:

>
> On Thursday, 19 July 2012 at 09:26, Otto wrote:
>
> > But putting something into core to address brute force attacks won't
> > work either, because this is fundamentally something that shouldn't
> > happen at the WordPress level.
>
>
> I disagree, for whatever it's worth; the vast majority of WordPress's
> audience, and certainly the ones who are most likely to choose
> brute-forceable passwords — the low-hanging fruit, I guess — aren't going
> to be aware of this as a problem. I don't see how it can hurt, even if
> there is or should be DOS protection at an ISP level, to implement some
> kind of login throttling with sensible defaults (that is, defaults that err
> on the side of false negatives).
>
> --
>
> Rob Miller
> Head of Digital
>
> big fish®
> 11 Chelsea Wharf
> 15 Lots Road
> London
> SW10 0QJ
>
> Office number: +44 (0)20 7795 0075
> Direct number: +44 (0)20 7376 6799
>
> www.bigfish.co.uk (http://www.bigfish.co.uk/)
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list