[wp-hackers] wp-hackers Digest, Vol 99, Issue 24

Tue Apr 16 15:40:47 UTC 2013

Just want to mention that my plugin, Theme My Login, allows you to limit 
login attempts and block wp-login.php.

Thanks,
Jeff Farthing
http://www.jfarthing.com
@jfarthing84

On 04/16/2013 11:39 AM, wp-hackers-request at lists.automattic.com wrote:
> Send wp-hackers mailing list submissions to
> 	wp-hackers at lists.automattic.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.automattic.com/mailman/listinfo/wp-hackers
> or, via email, send a message with subject or body 'help' to
> 	wp-hackers-request at lists.automattic.com
>
> You can reach the person managing the list at
> 	wp-hackers-owner at lists.automattic.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of wp-hackers digest..."
>
>
> Today's Topics:
>
>     1. Re: Limit Login Attempts (Tom Barrett)
>     2. Re: Limit Login Attempts (onlyunusedname)
>     3. Re: Limit Login Attempts (Sam Hotchkiss)
>     4. Re: Limit Login Attempts (Michael Donaghy)
>     5. Re: Limit Login Attempts (Chip Bennett)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 16 Apr 2013 16:30:32 +0100
> From: Tom Barrett <tcbarrett at gmail.com>
> Subject: Re: [wp-hackers] Limit Login Attempts
> To: wp-hackers at lists.automattic.com
> Message-ID:
> 	<CAEgmxaZRwjjfUzGeWXZyEFrD81fZfWPxp80WF8ykS-Y1+6DKcw at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Is there any way to set up a collective pool, a global 'limit login
> attempts blacklist'?
>
>
> On 16 April 2013 16:25, Chip Bennett <chip at chipbennett.net> wrote:
>
>> I agree that Limit Login Attempts is useful, and does block single-IP
>> brute-force attacks. (I use, and love, Limit Login Attempts.)
>>
>> But this particular botnet has demonstrated the ability to vary the IP
>> address used to brute-force a given site. That behavior, IIRC, has been
>> observed in the wild.
>>
>> My caution in adding Limit Login Attempts to core in response to this
>> attack is that it would give a false sense of security, WRT both
>> brute-force login attempts and DDoS.
>>
>>
>> On Tue, Apr 16, 2013 at 11:14 AM, Chris Williams <chris at clwill.com> wrote:
>>
>>> Because if you only allow each IP four (Five? Six?) login attempts per
>>> day, you essentially stop them all.
>>>
>>> In my log analysis, it's not the case that each IP only makes a few
>>> attempts.  They try hundreds/thousands. Now they are hitting my block,
>>> which requires a block of four attempts four times (16 total hits in a
>> one
>>> day period).
>>>
>>> If you look at the analysis on this, it all says something like "at 1000
>>> attempts/minute it takes only N days to crack your short password".
>>   Well,
>>> at 4 attempts/day, that number becomes millennia.
>>>
>>> More to the point, why NOT do this?  It doesn't require everyone to
>> change
>>> their password.  It doesn?t require everyone to remove the "admin"
>>> account. It doesn't require any changes at all, yet helps protect even
>> the
>>> most lax of password choosers.
>>>
>>> On 4/16/13 7:53 AM, "Chip Bennett" <chip at chipbennett.net> wrote:
>>>
>>>> If 90,000 unique IP addresses are attempting a brute-force attack, in
>>>> which
>>>> no single IP address makes more than a handful of attempts, how
>> effective
>>>> will it be to limit login attempts by IP address?
>>>>
>>>> I would support the inclusion of Limit Login Attempts in core, based on
>>>> its
>>>> utility; however, it won't do any particular good in dealing with the
>> full
>>>> potential of the current attack.
>>>>
>>>>
>>>> On Tue, Apr 16, 2013 at 10:36 AM, Chris Williams <chris at clwill.com>
>>> wrote:
>>>>> I made a rather reasonable proposal, and received plenty of advice,
>> but
>>>>> the proposal never was vetted.  Now the issue of brute force attacks
>> has
>>>>> even received Matt's attention:
>>>>> http://ma.tt/2013/04/passwords-and-brute-force/
>>>>>
>>>>> On the dozen or so WP sites I manage, wp-login.php is frequently among
>>>>> the
>>>>> top 10 most often accessed pages.  Yes, I have removed the admin
>>>>> account.
>>>>>   Yes, I have robust passwords.  Yes, I have plugins to help.  Yes, I
>> am
>>>>> playing whack-a-mole and blocking the IPs one-by-one.  But brute force
>>>>> attempts to login are happening at an alarming rate.
>>>>>
>>>>> Wordpress should include login attempt limiting as part of core:
>>>>>
>>>>>   *   Logging into WP is a core feature
>>>>>   *   Usernames and passwords are a core part of WP security
>>>>>   *   Password strength metering is a core feature
>>>>>   *   Limiting guesses is a key way to defend against brute force
>> attacks
>>>>> Is this the end-all-be-all to WP security?  No, of course not.
>>>>>
>>>>> But much of WP security depends on not being able to get access to
>>>>> privileged accounts.  And limiting login attempts is a simple,
>>>>> straightforward, non-invasive way to dramatically improve that
>> security.
>>>>>   It has almost no impact on the good guys and virtually eliminates a
>>>>> common
>>>>> exploit path.
>>>>>
>>>>> Not every WP site allows comments, so having Akismet a plugin makes
>>>>> sense.
>>>>>   Many other other plugins make sense as plugins.  But logging into WP
>>>>> is an
>>>>> essential facility.
>>>>>
>>>>> Limiting login attempts should be part of core.
>>>>>
>>>>> Chris
>>>>> _______________________________________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.com
>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
>