[wp-hackers] Limit Login Attempts
Marko Heijnen
mailing at markoheijnen.nl
Tue Apr 16 20:11:37 UTC 2013
I agree on the best practices except the admin usernames. It's Idiotic to have an admin name as Marko1321more23421weird.
Marko
Op 16 apr. 2013, om 22:01 heeft Jesse Friedman <highfive at jesserfriedman.com> het volgende geschreven:
> Right now you can get confirmation from WordPress that an admin username
> exists simply by going to the forgotten password screen. It will literally
> tell you, if you don't have the right username, when you finally do, it
> will confirm that an email has been sent.
>
> That should be fixed
>
> I tell clients, colleagues and students to employ best practices like:
>
> - never publishing content with a roll greater than author
> - admin usernames should be far more difficult than a typical username
> (ie. j4Friedman49)
> - passwords should be 10 characters long, uppercase, lowercase, numbers
> and characters
>
> Those best practices, combined with functionality that simply presents
> captcha based on too many attempts whether it is IP or username based will
> fix everything.
>
> Jesse
>
>
> On Tue, Apr 16, 2013 at 3:48 PM, Ian Dunn <ian at iandunn.name> wrote:
>
>> PHP has levenshtein() and similar_text() to calculate how closely related
>> tow strings are to each other.
>>
>> http://php.net/manual/en/**function.levenshtein.php<http://php.net/manual/en/function.levenshtein.php>
>> http://www.php.net/manual/en/**function.similar-text.php<http://www.php.net/manual/en/function.similar-text.php>
>>
>>
>>
>> On 04/16/2013 12:43 PM, Michael Donaghy wrote:
>>
>>> Agreed. In fact, suspicious if the user doesn't exist all together. Could
>>> be troublesome for some who accidentally enters in a username wrong, but
>>> maybe there can be a way out of that use case.
>>>
>>>
>>> On Tue, Apr 16, 2013 at 3:37 PM, William P. Davis <will.davis at gmail.com
>>>> wrote:
>>>
>>> +1 for something that immediately regards user as suspicious if they're
>>>> probing an admin user that doesn't exist.
>>>> Sent from my BlackBerry
>>>>
>>>> -----Original Message-----
>>>> From: Abdussamad Abdurrazzaq <abdussamad at abdussamad.com>
>>>> Sender: wp-hackers-bounces at lists.**automattic.com<wp-hackers-bounces at lists.automattic.com>
>>>> Date: Wed, 17 Apr 2013 00:25:03
>>>> To: <wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>>>
>>>> Reply-To: wp-hackers at lists.automattic.**com<wp-hackers at lists.automattic.com>
>>>> Subject: Re: [wp-hackers] Limit Login Attempts
>>>>
>>>> Delaying response times would lock up Apache processes that could be
>>>> used to serve other requests. It is likely to back fire on you.
>>>>
>>>> On 16/04/13 23:12, Doug Smith wrote:
>>>>
>>>>> I like the approach of the Login Security Solution plugin in the way it
>>>>>
>>>> enforces strong passwords and attempts to track both IPs and logins then
>>>> do
>>>> blocking, delays, and password resets.
>>>>
>>>>> http://wordpress.org/extend/**plugins/login-security-**solution/<http://wordpress.org/extend/plugins/login-security-solution/>
>>>>>
>>>>> This particular distributed attack is mostly probing the user name
>>>>>
>>>> "admin". It would seem that if a user with that name does not exist
>>>> (since
>>>> it's no longer a default) then the attempt could instantly be treated in
>>>> the way the Login Security Solution plugin does but without waiting for
>>>> repeated attempts. The delays would at least slow the attempts looking
>>>> for
>>>> an "admin" user.
>>>>
>>>>> Doug
>>>>>
>>>>> On Apr 16, 2013, at 10:39 AM, wp-hackers-request at lists.**
>>>>> automattic.comwrote:
>>>>>
>>>>> Message: 5
>>>>>> Date: Tue, 16 Apr 2013 11:39:48 -0400
>>>>>> From: Chip Bennett <chip at chipbennett.net>
>>>>>> Subject: Re: [wp-hackers] Limit Login Attempts
>>>>>> To: "[wp-hackers]" <wp-hackers at lists.automattic.**com<wp-hackers at lists.automattic.com>
>>>>>>>
>>>>>> Message-ID:
>>>>>> <CAPdLKqd21azx7AA68mTgZ=r=**AcoaXyZ+HAMri+pSjVn-jMS0=
>>>>>>
>>>>> Q at mail.gmail.com>
>>>>
>>>>> Content-Type: text/plain; charset=ISO-8859-1
>>>>>>
>>>>>> "Does that overlook something important?"
>>>>>>
>>>>>> Well, unless you whitelist your own IP address to bypass the login
>>>>>>
>>>>> lockout,
>>>>
>>>>> then if the brute-force attack attacks your actual username, you could
>>>>>>
>>>>> find
>>>>
>>>>> yourself locked out of your own site.
>>>>>>
>>>>>> Another solution is to .htaccess whitelist your own IP address for
>>>>>> wp-login.php, but that may not exactly be a low-maintenance solution
>>>>>> (dynamic IP addresses, logging in from multiple locations/IP
>>>>>> addresses/devices, etc.).
>>>>>>
>>>>>>
>>>>>> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
>>>>>> <onlyunusedname at gmail.com>**wrote:
>>>>>>
>>>>>> I've been using something similar to what Jesse describes: limiting
>>>>>>> attempts based on username so that I may disregard IP. Does that
>>>>>>>
>>>>>> overlook
>>>>
>>>>> something important?
>>>>>>>
>>>>>> --
>>>>> Doug Smith: doug at smithsrus.com
>>>>> http://smithsrus.com
>>>>>
>>>>> ______________________________**_________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>>>
>>>>> ______________________________**_________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>> ______________________________**_________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>>
>>>> ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>
>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>
>
>
>
> --
> thanks
> *
> *
> *jesse friedman*
> jes.se.com *
> *
> Book: Web Designers Guide to WordPress -
> http://wdgwp.com/onamazon<http://wdgwp.com/onamazon>
> Twitter: @professor <http://twitter.com/professor>
> Facebook: Like<https://www.facebook.com/pages/Jesse-Friedman/204793299545174>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list