[wp-hackers] Limit Login Attempts

Vid Luther vid at zippykid.com
Tue Apr 16 19:56:40 UTC 2013 

As a hosting provider, here's our take on things.. we'd love your feedback.

1. Having dictionary based passwords is a very good way to get in, these
bots can sometimes guess the right password on the first hit, if that
happens, a "brute force detector" is useless.

2. In theory, as a hosting provider, we would love a way to share the
offending ips across our sites and with other providers. Maintaining the
accuracy of this list is daunting, and something we're understaffed to do.

3. Blocking 90,000 ips is not feasible. Currently we're handling 250,000
connections/second. Each connection being pre-approved will kill our edge
devices. Now, compare that to Automattic, or the larger providers like
Hostgator/GoDaddy etc.. it's just something that's not feasible.

4. We don't use apache, so all these plugins that use .htaccess are useless
on our systems.


I personally think 2 factor authentication is where we need to move. It's
going to be a pain to educate the layman about it, but it is possible, and
we should. The websites we host at zippyKid are business websites, most of
these businesses deploy an alarm on premise, why they wouldn't or shouldn't
on their own website is beyond me. Trying to make WordPress login more
"secure" is pointless. We need to make more educated users.




On Tue, Apr 16, 2013 at 2:37 PM, William P. Davis <will.davis at gmail.com>wrote:

> +1 for something that immediately regards user as suspicious if they're
> probing an admin user that doesn't exist.
> Sent from my BlackBerry
>
> -----Original Message-----
> From: Abdussamad Abdurrazzaq <abdussamad at abdussamad.com>
> Sender: wp-hackers-bounces at lists.automattic.com
> Date: Wed, 17 Apr 2013 00:25:03
> To: <wp-hackers at lists.automattic.com>
> Reply-To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] Limit Login Attempts
>
> Delaying response times would lock up Apache processes that could be
> used to serve other requests. It is likely to back fire on you.
>
> On 16/04/13 23:12, Doug Smith wrote:
> > I like the approach of the Login Security Solution plugin in the way it
> enforces strong passwords and attempts to track both IPs and logins then do
> blocking, delays, and password resets.
> > http://wordpress.org/extend/plugins/login-security-solution/
> >
> > This particular distributed attack is mostly probing the user name
> "admin". It would seem that if a user with that name does not exist (since
> it's no longer a default) then the attempt could instantly be treated in
> the way the Login Security Solution plugin does but without waiting for
> repeated attempts. The delays would at least slow the attempts looking for
> an "admin" user.
> >
> > Doug
> >
> > On Apr 16, 2013, at 10:39 AM, wp-hackers-request at lists.automattic.comwrote:
> >
> >> Message: 5
> >> Date: Tue, 16 Apr 2013 11:39:48 -0400
> >> From: Chip Bennett <chip at chipbennett.net>
> >> Subject: Re: [wp-hackers] Limit Login Attempts
> >> To: "[wp-hackers]" <wp-hackers at lists.automattic.com>
> >> Message-ID:
> >>      <CAPdLKqd21azx7AA68mTgZ=r=AcoaXyZ+HAMri+pSjVn-jMS0=
> Q at mail.gmail.com>
> >> Content-Type: text/plain; charset=ISO-8859-1
> >>
> >> "Does that overlook something important?"
> >>
> >> Well, unless you whitelist your own IP address to bypass the login
> lockout,
> >> then if the brute-force attack attacks your actual username, you could
> find
> >> yourself locked out of your own site.
> >>
> >> Another solution is to .htaccess whitelist your own IP address for
> >> wp-login.php, but that may not exactly be a low-maintenance solution
> >> (dynamic IP addresses, logging in from multiple locations/IP
> >> addresses/devices, etc.).
> >>
> >>
> >> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
> >> <onlyunusedname at gmail.com>wrote:
> >>
> >>> I've been using something similar to what Jesse describes: limiting
> >>> attempts based on username so that I may disregard IP.  Does that
> overlook
> >>> something important?
> >
> > --
> > Doug Smith: doug at smithsrus.com
> > http://smithsrus.com
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Vid Luther
CEO and Founder
ZippyKid
Managed Wordpress Hosting
http://zippykid.com/
210-789-0369

More information about the wp-hackers mailing list