[wp-hackers] Limit Login Attempts

SWORD Studios info at swordstudios.net
Tue Apr 16 20:42:07 UTC 2013

Right now you can get confirmation from WordPress that an admin username
exists simply by going to the forgotten password screen. It will literally
tell you, if you don't have the right username, when you finally do, it
will confirm that an email has been sent.

That should be fixed

I tell clients, colleagues and students to employ best practices like:

   - never publishing content with a roll greater than author
   - admin usernames should be far more difficult than a typical username
   (ie. j4Friedman49)
   - passwords should be 10 characters long, uppercase, lowercase, numbers
   and characters

Those best practices, combined with functionality that simply presents
captcha based on too many attempts whether it is IP or username based will
fix everything.

On Tue, Apr 16, 2013 at 4:11 PM, Otto <otto at ottodestruct.com> wrote:

> On Tue, Apr 16, 2013 at 3:07 PM, Marko Heijnen <mailing at markoheijnen.nl>
> wrote:
> > I'm not sure what the code is behind 2 factor authentication but it's
> doesn't seem feasible for the regular website's but yes on the bigger sites
> it is the way to go.
> 2-factor auth is neat and easy and anybody can set it up using the
> Google Authenticator app on their own phone and this plugin right
> here:
> http://wordpress.org/extend/plugins/google-authenticator/
> You don't need a Google account, and the mobile app doesn't need
> network access to work.
> -Otto
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

*jesse friedman*
jes.se.com *
Book: Web Designers Guide to WordPress -
Twitter: @professor <http://twitter.com/professor>
Facebook: Like<https://www.facebook.com/pages/Jesse-Friedman/204793299545174>

More information about the wp-hackers mailing list