[wp-hackers] Limit Login Attempts

Chris Williams chris at clwill.com
Tue Apr 16 17:53:26 UTC 2013

Since everyone seems to want to make the perfect the enemy of the good, I
have an alternative proposal.

When spam threatened the very existence of WP years ago, Automattic rose
to the occasion and created Akismet.  Between it and Bad Behavior, I see
essentially zero uncaught spam.  They did a great job, providing a
centralized solution against a decentralized attack vector, and it works

In this case, what if each failed login attempt was logged (on
Automattic's servers like Akismet), and if more than X are seen in a given
time period (even a huge number like 25/day?) from ANY WP site that IP is
logged, and prevented from logging in on any WP site that participates in
the program.  Perhaps it is even added to generally available blacklists,
so that things like Bad Behavior can stop it earlier.  Sure, since it
phone's home, this would have to be a plugin so participation can be
voluntary, but within a few days, this bot would be killed.

As a community, I fail to believe our only defense against this is for
each of us to build our own TSA at our own WP site.  Especially by simply
using the power of millions of WP sites sharing information we can stop it
in its tracks.

More information about the wp-hackers mailing list