[wp-hackers] Limit Login Attempts

Jesse Friedman highfive at jesserfriedman.com
Tue Apr 16 20:01:17 UTC 2013


Right now you can get confirmation from WordPress that an admin username
exists simply by going to the forgotten password screen. It will literally
tell you, if you don't have the right username, when you finally do, it
will confirm that an email has been sent.

That should be fixed

I tell clients, colleagues and students to employ best practices like:

   - never publishing content with a roll greater than author
   - admin usernames should be far more difficult than a typical username
   (ie. j4Friedman49)
   - passwords should be 10 characters long, uppercase, lowercase, numbers
   and characters

Those best practices, combined with functionality that simply presents
captcha based on too many attempts whether it is IP or username based will
fix everything.

Jesse


On Tue, Apr 16, 2013 at 3:48 PM, Ian Dunn <ian at iandunn.name> wrote:

> PHP has levenshtein() and similar_text() to calculate how closely related
> tow strings are to each other.
>
> http://php.net/manual/en/**function.levenshtein.php<http://php.net/manual/en/function.levenshtein.php>
> http://www.php.net/manual/en/**function.similar-text.php<http://www.php.net/manual/en/function.similar-text.php>
>
>
>
> On 04/16/2013 12:43 PM, Michael Donaghy wrote:
>
>> Agreed.  In fact, suspicious if the user doesn't exist all together. Could
>> be troublesome for some who accidentally enters in a username wrong, but
>> maybe there can be a way out of that use case.
>>
>>
>> On Tue, Apr 16, 2013 at 3:37 PM, William P. Davis <will.davis at gmail.com
>> >wrote:
>>
>>  +1 for something that immediately regards user as suspicious if they're
>>> probing an admin user that doesn't exist.
>>> Sent from my BlackBerry
>>>
>>> -----Original Message-----
>>> From: Abdussamad Abdurrazzaq <abdussamad at abdussamad.com>
>>> Sender: wp-hackers-bounces at lists.**automattic.com<wp-hackers-bounces at lists.automattic.com>
>>> Date: Wed, 17 Apr 2013 00:25:03
>>> To: <wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>> >
>>> Reply-To: wp-hackers at lists.automattic.**com<wp-hackers at lists.automattic.com>
>>> Subject: Re: [wp-hackers] Limit Login Attempts
>>>
>>> Delaying response times would lock up Apache processes that could be
>>> used to serve other requests. It is likely to back fire on you.
>>>
>>> On 16/04/13 23:12, Doug Smith wrote:
>>>
>>>> I like the approach of the Login Security Solution plugin in the way it
>>>>
>>> enforces strong passwords and attempts to track both IPs and logins then
>>> do
>>> blocking, delays, and password resets.
>>>
>>>> http://wordpress.org/extend/**plugins/login-security-**solution/<http://wordpress.org/extend/plugins/login-security-solution/>
>>>>
>>>> This particular distributed attack is mostly probing the user name
>>>>
>>> "admin". It would seem that if a user with that name does not exist
>>> (since
>>> it's no longer a default) then the attempt could instantly be treated in
>>> the way the Login Security Solution plugin does but without waiting for
>>> repeated attempts. The delays would at least slow the attempts looking
>>> for
>>> an "admin" user.
>>>
>>>> Doug
>>>>
>>>> On Apr 16, 2013, at 10:39 AM, wp-hackers-request at lists.**
>>>> automattic.comwrote:
>>>>
>>>>  Message: 5
>>>>> Date: Tue, 16 Apr 2013 11:39:48 -0400
>>>>> From: Chip Bennett <chip at chipbennett.net>
>>>>> Subject: Re: [wp-hackers] Limit Login Attempts
>>>>> To: "[wp-hackers]" <wp-hackers at lists.automattic.**com<wp-hackers at lists.automattic.com>
>>>>> >
>>>>> Message-ID:
>>>>>       <CAPdLKqd21azx7AA68mTgZ=r=**AcoaXyZ+HAMri+pSjVn-jMS0=
>>>>>
>>>> Q at mail.gmail.com>
>>>
>>>> Content-Type: text/plain; charset=ISO-8859-1
>>>>>
>>>>> "Does that overlook something important?"
>>>>>
>>>>> Well, unless you whitelist your own IP address to bypass the login
>>>>>
>>>> lockout,
>>>
>>>> then if the brute-force attack attacks your actual username, you could
>>>>>
>>>> find
>>>
>>>> yourself locked out of your own site.
>>>>>
>>>>> Another solution is to .htaccess whitelist your own IP address for
>>>>> wp-login.php, but that may not exactly be a low-maintenance solution
>>>>> (dynamic IP addresses, logging in from multiple locations/IP
>>>>> addresses/devices, etc.).
>>>>>
>>>>>
>>>>> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
>>>>> <onlyunusedname at gmail.com>**wrote:
>>>>>
>>>>>  I've been using something similar to what Jesse describes: limiting
>>>>>> attempts based on username so that I may disregard IP.  Does that
>>>>>>
>>>>> overlook
>>>
>>>> something important?
>>>>>>
>>>>> --
>>>> Doug Smith: doug at smithsrus.com
>>>> http://smithsrus.com
>>>>
>>>> ______________________________**_________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>>
>>>>  ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>> ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>
>>>  ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>
>
> ______________________________**_________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>



-- 
thanks
*
*
*jesse friedman*
jes.se.com *
*
Book: Web Designers Guide to WordPress -
http://wdgwp.com/onamazon<http://wdgwp.com/onamazon>
Twitter: @professor <http://twitter.com/professor>
Facebook: Like<https://www.facebook.com/pages/Jesse-Friedman/204793299545174>


More information about the wp-hackers mailing list