[wp-hackers] Limit Login Attempts

Chip Bennett chip at chipbennett.net
Tue Apr 16 15:39:48 UTC 2013 

"Does that overlook something important?"

Well, unless you whitelist your own IP address to bypass the login lockout,
then if the brute-force attack attacks your actual username, you could find
yourself locked out of your own site.

Another solution is to .htaccess whitelist your own IP address for
wp-login.php, but that may not exactly be a low-maintenance solution
(dynamic IP addresses, logging in from multiple locations/IP
addresses/devices, etc.).


On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
<onlyunusedname at gmail.com>wrote:

> I've been using something similar to what Jesse describes: limiting
> attempts based on username so that I may disregard IP.  Does that overlook
> something important?
>
>
> On Tue, Apr 16, 2013 at 11:30 AM, Tom Barrett <tcbarrett at gmail.com> wrote:
>
> > Is there any way to set up a collective pool, a global 'limit login
> > attempts blacklist'?
> >
> >
> > On 16 April 2013 16:25, Chip Bennett <chip at chipbennett.net> wrote:
> >
> > > I agree that Limit Login Attempts is useful, and does block single-IP
> > > brute-force attacks. (I use, and love, Limit Login Attempts.)
> > >
> > > But this particular botnet has demonstrated the ability to vary the IP
> > > address used to brute-force a given site. That behavior, IIRC, has been
> > > observed in the wild.
> > >
> > > My caution in adding Limit Login Attempts to core in response to this
> > > attack is that it would give a false sense of security, WRT both
> > > brute-force login attempts and DDoS.
> > >
> > >
> > > On Tue, Apr 16, 2013 at 11:14 AM, Chris Williams <chris at clwill.com>
> > wrote:
> > >
> > > > Because if you only allow each IP four (Five? Six?) login attempts
> per
> > > > day, you essentially stop them all.
> > > >
> > > > In my log analysis, it's not the case that each IP only makes a few
> > > > attempts.  They try hundreds/thousands. Now they are hitting my
> block,
> > > > which requires a block of four attempts four times (16 total hits in
> a
> > > one
> > > > day period).
> > > >
> > > > If you look at the analysis on this, it all says something like "at
> > 1000
> > > > attempts/minute it takes only N days to crack your short password".
> > >  Well,
> > > > at 4 attempts/day, that number becomes millennia.
> > > >
> > > > More to the point, why NOT do this?  It doesn't require everyone to
> > > change
> > > > their password.  It doesn¹t require everyone to remove the "admin"
> > > > account. It doesn't require any changes at all, yet helps protect
> even
> > > the
> > > > most lax of password choosers.
> > > >
> > > > On 4/16/13 7:53 AM, "Chip Bennett" <chip at chipbennett.net> wrote:
> > > >
> > > > >If 90,000 unique IP addresses are attempting a brute-force attack,
> in
> > > > >which
> > > > >no single IP address makes more than a handful of attempts, how
> > > effective
> > > > >will it be to limit login attempts by IP address?
> > > > >
> > > > >I would support the inclusion of Limit Login Attempts in core, based
> > on
> > > > >its
> > > > >utility; however, it won't do any particular good in dealing with
> the
> > > full
> > > > >potential of the current attack.
> > > > >
> > > > >
> > > > >On Tue, Apr 16, 2013 at 10:36 AM, Chris Williams <chris at clwill.com>
> > > > wrote:
> > > > >
> > > > >> I made a rather reasonable proposal, and received plenty of
> advice,
> > > but
> > > > >> the proposal never was vetted.  Now the issue of brute force
> attacks
> > > has
> > > > >> even received Matt's attention:
> > > > >> http://ma.tt/2013/04/passwords-and-brute-force/
> > > > >>
> > > > >> On the dozen or so WP sites I manage, wp-login.php is frequently
> > among
> > > > >>the
> > > > >> top 10 most often accessed pages.  Yes, I have removed the admin
> > > > >>account.
> > > > >>  Yes, I have robust passwords.  Yes, I have plugins to help.
>  Yes, I
> > > am
> > > > >> playing whack-a-mole and blocking the IPs one-by-one.  But brute
> > force
> > > > >> attempts to login are happening at an alarming rate.
> > > > >>
> > > > >> Wordpress should include login attempt limiting as part of core:
> > > > >>
> > > > >>  *   Logging into WP is a core feature
> > > > >>  *   Usernames and passwords are a core part of WP security
> > > > >>  *   Password strength metering is a core feature
> > > > >>  *   Limiting guesses is a key way to defend against brute force
> > > attacks
> > > > >>
> > > > >> Is this the end-all-be-all to WP security?  No, of course not.
> > > > >>
> > > > >> But much of WP security depends on not being able to get access to
> > > > >> privileged accounts.  And limiting login attempts is a simple,
> > > > >> straightforward, non-invasive way to dramatically improve that
> > > security.
> > > > >>  It has almost no impact on the good guys and virtually
> eliminates a
> > > > >>common
> > > > >> exploit path.
> > > > >>
> > > > >> Not every WP site allows comments, so having Akismet a plugin
> makes
> > > > >>sense.
> > > > >>  Many other other plugins make sense as plugins.  But logging into
> > WP
> > > > >>is an
> > > > >> essential facility.
> > > > >>
> > > > >> Limiting login attempts should be part of core.
> > > > >>
> > > > >> Chris
> > > > >> _______________________________________________
> > > > >> wp-hackers mailing list
> > > > >> wp-hackers at lists.automattic.com
> > > > >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > > >>
> > > > >_______________________________________________
> > > > >wp-hackers mailing list
> > > > >wp-hackers at lists.automattic.com
> > > > >http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > >
> > > > _______________________________________________
> > > > wp-hackers mailing list
> > > > wp-hackers at lists.automattic.com
> > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > >
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> >
> >
> >
> > --
> > http://www.tcbarrett.com | http://gplus.to/tcbarrett |
> > http://twitter.com/tcbarrett
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list