[wp-hackers] Limit Login Attempts

Chris Williams chris at clwill.com
Tue Apr 16 14:36:53 UTC 2013

I made a rather reasonable proposal, and received plenty of advice, but the proposal never was vetted.  Now the issue of brute force attacks has even received Matt's attention: http://ma.tt/2013/04/passwords-and-brute-force/

On the dozen or so WP sites I manage, wp-login.php is frequently among the top 10 most often accessed pages.  Yes, I have removed the admin account.  Yes, I have robust passwords.  Yes, I have plugins to help.  Yes, I am playing whack-a-mole and blocking the IPs one-by-one.  But brute force attempts to login are happening at an alarming rate.

Wordpress should include login attempt limiting as part of core:

 *   Logging into WP is a core feature
 *   Usernames and passwords are a core part of WP security
 *   Password strength metering is a core feature
 *   Limiting guesses is a key way to defend against brute force attacks

Is this the end-all-be-all to WP security?  No, of course not.

But much of WP security depends on not being able to get access to privileged accounts.  And limiting login attempts is a simple, straightforward, non-invasive way to dramatically improve that security.  It has almost no impact on the good guys and virtually eliminates a common exploit path.

Not every WP site allows comments, so having Akismet a plugin makes sense.  Many other other plugins make sense as plugins.  But logging into WP is an essential facility.

Limiting login attempts should be part of core.


More information about the wp-hackers mailing list