[wp-hackers] Limit Login Attempts
chip at chipbennett.net
Tue Apr 16 15:25:09 UTC 2013
I agree that Limit Login Attempts is useful, and does block single-IP
brute-force attacks. (I use, and love, Limit Login Attempts.)
But this particular botnet has demonstrated the ability to vary the IP
address used to brute-force a given site. That behavior, IIRC, has been
observed in the wild.
My caution in adding Limit Login Attempts to core in response to this
attack is that it would give a false sense of security, WRT both
brute-force login attempts and DDoS.
On Tue, Apr 16, 2013 at 11:14 AM, Chris Williams <chris at clwill.com> wrote:
> Because if you only allow each IP four (Five? Six?) login attempts per
> day, you essentially stop them all.
> In my log analysis, it's not the case that each IP only makes a few
> attempts. They try hundreds/thousands. Now they are hitting my block,
> which requires a block of four attempts four times (16 total hits in a one
> day period).
> If you look at the analysis on this, it all says something like "at 1000
> attempts/minute it takes only N days to crack your short password". Well,
> at 4 attempts/day, that number becomes millennia.
> More to the point, why NOT do this? It doesn't require everyone to change
> their password. It doesn¹t require everyone to remove the "admin"
> account. It doesn't require any changes at all, yet helps protect even the
> most lax of password choosers.
> On 4/16/13 7:53 AM, "Chip Bennett" <chip at chipbennett.net> wrote:
> >If 90,000 unique IP addresses are attempting a brute-force attack, in
> >no single IP address makes more than a handful of attempts, how effective
> >will it be to limit login attempts by IP address?
> >I would support the inclusion of Limit Login Attempts in core, based on
> >utility; however, it won't do any particular good in dealing with the full
> >potential of the current attack.
> >On Tue, Apr 16, 2013 at 10:36 AM, Chris Williams <chris at clwill.com>
> >> I made a rather reasonable proposal, and received plenty of advice, but
> >> the proposal never was vetted. Now the issue of brute force attacks has
> >> even received Matt's attention:
> >> http://ma.tt/2013/04/passwords-and-brute-force/
> >> On the dozen or so WP sites I manage, wp-login.php is frequently among
> >> top 10 most often accessed pages. Yes, I have removed the admin
> >> Yes, I have robust passwords. Yes, I have plugins to help. Yes, I am
> >> playing whack-a-mole and blocking the IPs one-by-one. But brute force
> >> attempts to login are happening at an alarming rate.
> >> Wordpress should include login attempt limiting as part of core:
> >> * Logging into WP is a core feature
> >> * Usernames and passwords are a core part of WP security
> >> * Password strength metering is a core feature
> >> * Limiting guesses is a key way to defend against brute force attacks
> >> Is this the end-all-be-all to WP security? No, of course not.
> >> But much of WP security depends on not being able to get access to
> >> privileged accounts. And limiting login attempts is a simple,
> >> straightforward, non-invasive way to dramatically improve that security.
> >> It has almost no impact on the good guys and virtually eliminates a
> >> exploit path.
> >> Not every WP site allows comments, so having Akismet a plugin makes
> >> Many other other plugins make sense as plugins. But logging into WP
> >>is an
> >> essential facility.
> >> Limiting login attempts should be part of core.
> >> Chris
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >wp-hackers mailing list
> >wp-hackers at lists.automattic.com
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers