[wp-hackers] Limit Login Attempts

Chris Williams chris at clwill.com
Tue Apr 16 15:45:50 UTC 2013

First, let me be clear.  I'm not talking about the specific plugin "Limit
Login Attempts".  I'm talking about the concept.  How exactly it's
accomplished can be refined.

Second, as to a "false sense of security", the same can be said of car
door/ignition locks.  But that doesn't mean we shouldn't have them and
people shouldn't use them.

Third, every single internet app I use that requires a username/password
does this.  My bank, every airline web site, and on and on.  It's just
basic username/password hygiene.

On 4/16/13 8:25 AM, "Chip Bennett" <chip at chipbennett.net> wrote:

>I agree that Limit Login Attempts is useful, and does block single-IP
>brute-force attacks. (I use, and love, Limit Login Attempts.)
>But this particular botnet has demonstrated the ability to vary the IP
>address used to brute-force a given site. That behavior, IIRC, has been
>observed in the wild.
>My caution in adding Limit Login Attempts to core in response to this
>attack is that it would give a false sense of security, WRT both
>brute-force login attempts and DDoS.
>On Tue, Apr 16, 2013 at 11:14 AM, Chris Williams <chris at clwill.com> wrote:
>> Because if you only allow each IP four (Five? Six?) login attempts per
>> day, you essentially stop them all.
>> In my log analysis, it's not the case that each IP only makes a few
>> attempts.  They try hundreds/thousands. Now they are hitting my block,
>> which requires a block of four attempts four times (16 total hits in a
>> day period).
>> If you look at the analysis on this, it all says something like "at 1000
>> attempts/minute it takes only N days to crack your short password".
>> at 4 attempts/day, that number becomes millennia.
>> More to the point, why NOT do this?  It doesn't require everyone to
>> their password.  It doesn¹t require everyone to remove the "admin"
>> account. It doesn't require any changes at all, yet helps protect even
>> most lax of password choosers.
>> On 4/16/13 7:53 AM, "Chip Bennett" <chip at chipbennett.net> wrote:
>> >If 90,000 unique IP addresses are attempting a brute-force attack, in
>> >which
>> >no single IP address makes more than a handful of attempts, how
>> >will it be to limit login attempts by IP address?
>> >
>> >I would support the inclusion of Limit Login Attempts in core, based on
>> >its
>> >utility; however, it won't do any particular good in dealing with the
>> >potential of the current attack.
>> >
>> >
>> >On Tue, Apr 16, 2013 at 10:36 AM, Chris Williams <chris at clwill.com>
>> wrote:
>> >
>> >> I made a rather reasonable proposal, and received plenty of advice,
>> >> the proposal never was vetted.  Now the issue of brute force attacks
>> >> even received Matt's attention:
>> >> http://ma.tt/2013/04/passwords-and-brute-force/
>> >>
>> >> On the dozen or so WP sites I manage, wp-login.php is frequently
>> >>the
>> >> top 10 most often accessed pages.  Yes, I have removed the admin
>> >>account.
>> >>  Yes, I have robust passwords.  Yes, I have plugins to help.  Yes, I
>> >> playing whack-a-mole and blocking the IPs one-by-one.  But brute
>> >> attempts to login are happening at an alarming rate.
>> >>
>> >> Wordpress should include login attempt limiting as part of core:
>> >>
>> >>  *   Logging into WP is a core feature
>> >>  *   Usernames and passwords are a core part of WP security
>> >>  *   Password strength metering is a core feature
>> >>  *   Limiting guesses is a key way to defend against brute force
>> >>
>> >> Is this the end-all-be-all to WP security?  No, of course not.
>> >>
>> >> But much of WP security depends on not being able to get access to
>> >> privileged accounts.  And limiting login attempts is a simple,
>> >> straightforward, non-invasive way to dramatically improve that
>> >>  It has almost no impact on the good guys and virtually eliminates a
>> >>common
>> >> exploit path.
>> >>
>> >> Not every WP site allows comments, so having Akismet a plugin makes
>> >>sense.
>> >>  Many other other plugins make sense as plugins.  But logging into WP
>> >>is an
>> >> essential facility.
>> >>
>> >> Limiting login attempts should be part of core.
>> >>
>> >> Chris
>> >> _______________________________________________
>> >> wp-hackers mailing list
>> >> wp-hackers at lists.automattic.com
>> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >>
>> >_______________________________________________
>> >wp-hackers mailing list
>> >wp-hackers at lists.automattic.com
>> >http://lists.automattic.com/mailman/listinfo/wp-hackers
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>wp-hackers mailing list
>wp-hackers at lists.automattic.com

More information about the wp-hackers mailing list