[wp-hackers] Limit Login Attempts
Jeff Morris
wp-hackers at zipsbazaar.co.uk
Tue Apr 16 16:52:04 UTC 2013
The solution is not to swat away the flies, but to dispose of the turd.
The cardinal weaknesses of WP historically arise from the 'well-known
name' effect. So a *published* response to, for example, the
wp-login.php brute-force problem, is doomed right off the bat. It can
hardly be described as an unforeseen consequence.
The real success I've had in dealing with brute-forcing has been to
block all requests for wp-login.php (inter alia) at the server level (in
.htaccess) and substitute an alternate vector for that functionality -
either over AJAX or by using an unguessable script filename. And I mean
a filename that doesn't 'say on the tin what it does'. Yes, there's more
but...
I also hate the way WP tosses its forms out like confetti to all and
sundry, but I guess it has no choice out-of-the-box.
More information about the wp-hackers
mailing list