[wp-hackers] Limit Login Attempts

Jeff Morris wp-hackers at zipsbazaar.co.uk
Tue Apr 16 16:52:04 UTC 2013

The solution is not to swat away the flies, but to dispose of the turd.

The cardinal weaknesses of WP historically arise from the 'well-known 
name' effect. So a *published* response to, for example, the 
wp-login.php brute-force problem, is doomed right off the bat. It can 
hardly be described as an unforeseen consequence.

The real success I've had in dealing with brute-forcing has been to 
block all requests for wp-login.php (inter alia) at the server level (in 
.htaccess) and substitute an alternate vector for that functionality - 
either over AJAX or by using an unguessable script filename. And I mean 
a filename that doesn't 'say on the tin what it does'. Yes, there's more 

I also hate the way WP tosses its forms out like confetti to all and 
sundry, but I guess it has no choice out-of-the-box.

More information about the wp-hackers mailing list