[wp-hackers] Limit Login Attempts

Chris Williams chris at clwill.com
Tue Apr 16 15:14:07 UTC 2013

Because if you only allow each IP four (Five? Six?) login attempts per
day, you essentially stop them all.

In my log analysis, it's not the case that each IP only makes a few
attempts.  They try hundreds/thousands. Now they are hitting my block,
which requires a block of four attempts four times (16 total hits in a one
day period).

If you look at the analysis on this, it all says something like "at 1000
attempts/minute it takes only N days to crack your short password".  Well,
at 4 attempts/day, that number becomes millennia.

More to the point, why NOT do this?  It doesn't require everyone to change
their password.  It doesn¹t require everyone to remove the "admin"
account. It doesn't require any changes at all, yet helps protect even the
most lax of password choosers.

On 4/16/13 7:53 AM, "Chip Bennett" <chip at chipbennett.net> wrote:

>If 90,000 unique IP addresses are attempting a brute-force attack, in
>no single IP address makes more than a handful of attempts, how effective
>will it be to limit login attempts by IP address?
>I would support the inclusion of Limit Login Attempts in core, based on
>utility; however, it won't do any particular good in dealing with the full
>potential of the current attack.
>On Tue, Apr 16, 2013 at 10:36 AM, Chris Williams <chris at clwill.com> wrote:
>> I made a rather reasonable proposal, and received plenty of advice, but
>> the proposal never was vetted.  Now the issue of brute force attacks has
>> even received Matt's attention:
>> http://ma.tt/2013/04/passwords-and-brute-force/
>> On the dozen or so WP sites I manage, wp-login.php is frequently among
>> top 10 most often accessed pages.  Yes, I have removed the admin
>>  Yes, I have robust passwords.  Yes, I have plugins to help.  Yes, I am
>> playing whack-a-mole and blocking the IPs one-by-one.  But brute force
>> attempts to login are happening at an alarming rate.
>> Wordpress should include login attempt limiting as part of core:
>>  *   Logging into WP is a core feature
>>  *   Usernames and passwords are a core part of WP security
>>  *   Password strength metering is a core feature
>>  *   Limiting guesses is a key way to defend against brute force attacks
>> Is this the end-all-be-all to WP security?  No, of course not.
>> But much of WP security depends on not being able to get access to
>> privileged accounts.  And limiting login attempts is a simple,
>> straightforward, non-invasive way to dramatically improve that security.
>>  It has almost no impact on the good guys and virtually eliminates a
>> exploit path.
>> Not every WP site allows comments, so having Akismet a plugin makes
>>  Many other other plugins make sense as plugins.  But logging into WP
>>is an
>> essential facility.
>> Limiting login attempts should be part of core.
>> Chris
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>wp-hackers mailing list
>wp-hackers at lists.automattic.com

More information about the wp-hackers mailing list