[wp-hackers] Limit Login Attempts

Andrew Nacin wp at andrewnacin.com
Tue Apr 16 22:01:23 UTC 2013

On Tue, Apr 16, 2013 at 4:56 PM, Vid Luther <vid at zippykid.com> wrote:

> With my business hat on, it's just nuts how simple people make their
> passwords, and how complex things get when you try to do things to enhance
> the customer's security. The subject of this thread is "limit login
> attempts", is that really what we want?
> Or do we want to limit unauthorized access?

Excellent points, Vid. This is an arms race. Anything core does might
change the nature of the race, but we will not stop it, and we will only
escalate it. That's not to say there aren't some good things core can do.
But, any kind of limiting is simply a non-starter, because it doesn't work.

Limiting by IP will not work against a botnet. This is a fairly primitive
attack, but it was still sophisticated enough to ensure that IPs were
constantly switched. Anything we do in core will be useless here.

On Tue, Apr 16, 2013 at 11:14 AM, Chris Williams <chris at clwill.com> wrote:

> Because if you only allow each IP four (Five? Six?) login attempts per day,
> you essentially stop them all.

My site was hit with about 50,000 login attempts by about the same number
of IPs. Why not do this? Because limiting by failed attempts will just
trigger a denial of service on two fronts. (One: The server will be
overwhelmed. Two: If you block by failed attempts, the user might not be
able to log in on their own.) While they won't gain access to the account,
it'll prevent the actual user from logging in, either. I'm understating
when I call this a terrible user experience.

Anything we do might end up with huge database entries documenting failed
attempts. Any brute force activity can hog CPU and database resources, lock
things up, and send things crashing.

Also: Usernames are not private information in WordPress. They've always
been public, and they're public on a host of web services. (Take, for
example, Twitter.) WordPress tries hard to balance security and the
experience of the user, which is why we do things like tell people when
their username is wrong. There are no plans to change that behavior. It
would do very little for security and would mostly just harm the user's

This isn't about perfect being the enemy of good. This is about not jumping
to implement things that are poorly understood and will likely only make
things worse.

There are a lot of ways for us to encourage (and even enforce) stronger
passwords. We should start there. If you have good ideas, check out:
http://core.trac.wordpress.org/ticket/21737. It's something a few of us
plan to prioritize for 3.7.


More information about the wp-hackers mailing list