[wp-hackers] Limit Login Attempts

Chris Williams chris at clwill.com
Tue Apr 16 23:04:28 UTC 2013

Nacin writes:
>Two: If you block by failed attempts, the user might not be
>able to log in on their own.) While they won't gain access to the account,
>it'll prevent the actual user from logging in, either. I'm understating
>when I call this a terrible user experience.

This is only true if you limit based on a silly low number of attempts.
If you make it so that any IP that makes, say 25 (50?) failed login
attempts (across all participating sites) is blocked from all
participating sites, there is no reasonable way to say this is a "terrible
user experience".  No one reasonably makes 25-50 attempts at their own

>Anything we do might end up with huge database entries documenting failed
>attempts. Any brute force activity can hog CPU and database resources,
>things up, and send things crashing.

Clearly Automattic has the power/resources/bandwidth to be able to handle
this.  The number of failed login attempts has to be a minute fraction of
the number of spam comments it filters today quite handily.

>There are a lot of ways for us to encourage (and even enforce) stronger
>passwords. We should start there. If you have good ideas, check out:
>http://core.trac.wordpress.org/ticket/21737. It's something a few of us
>plan to prioritize for 3.7.

Talk about "terrible user experience".  Force me to have a password with
"at least one lower case, one capital, one digit, one symbol... Yadda ...
Yadda."  UGH!  That's a terrible user experience.  If I WANT to have a
crappy password, whose business is it but my own?  Warn me, maybe.  But
enforce is the opposite of a good user experience.

More information about the wp-hackers mailing list