[wp-hackers] Limit Login Attempts
William P. Davis
will.davis at gmail.com
Tue Apr 16 19:37:07 UTC 2013
+1 for something that immediately regards user as suspicious if they're probing an admin user that doesn't exist.
Sent from my BlackBerry
From: Abdussamad Abdurrazzaq <abdussamad at abdussamad.com>
Sender: wp-hackers-bounces at lists.automattic.com
Date: Wed, 17 Apr 2013 00:25:03
To: <wp-hackers at lists.automattic.com>
Reply-To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] Limit Login Attempts
Delaying response times would lock up Apache processes that could be
used to serve other requests. It is likely to back fire on you.
On 16/04/13 23:12, Doug Smith wrote:
> I like the approach of the Login Security Solution plugin in the way it enforces strong passwords and attempts to track both IPs and logins then do blocking, delays, and password resets.
> This particular distributed attack is mostly probing the user name "admin". It would seem that if a user with that name does not exist (since it's no longer a default) then the attempt could instantly be treated in the way the Login Security Solution plugin does but without waiting for repeated attempts. The delays would at least slow the attempts looking for an "admin" user.
> On Apr 16, 2013, at 10:39 AM, wp-hackers-request at lists.automattic.com wrote:
>> Message: 5
>> Date: Tue, 16 Apr 2013 11:39:48 -0400
>> From: Chip Bennett <chip at chipbennett.net>
>> Subject: Re: [wp-hackers] Limit Login Attempts
>> To: "[wp-hackers]" <wp-hackers at lists.automattic.com>
>> <CAPdLKqd21azx7AA68mTgZ=r=AcoaXyZ+HAMri+pSjVn-jMS0=Q at mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1
>> "Does that overlook something important?"
>> Well, unless you whitelist your own IP address to bypass the login lockout,
>> then if the brute-force attack attacks your actual username, you could find
>> yourself locked out of your own site.
>> Another solution is to .htaccess whitelist your own IP address for
>> wp-login.php, but that may not exactly be a low-maintenance solution
>> (dynamic IP addresses, logging in from multiple locations/IP
>> addresses/devices, etc.).
>> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
>> <onlyunusedname at gmail.com>wrote:
>>> I've been using something similar to what Jesse describes: limiting
>>> attempts based on username so that I may disregard IP. Does that overlook
>>> something important?
> Doug Smith: doug at smithsrus.com
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
wp-hackers mailing list
wp-hackers at lists.automattic.com
More information about the wp-hackers