[wp-hackers] Limit Login Attempts

Vid Luther vid at zippykid.com
Wed Apr 17 00:36:52 UTC 2013

On Tue, Apr 16, 2013 at 7:12 PM, Chris Williams <chris at clwill.com> wrote:

> Again, I'm not sure you're understanding.  I'm advocating a system where
> the plugin, upon submission of a login form, checks it against an
> Automattic database.  If it comes back bad (e.g., this IP has made 25 bad
> login attempts in the last 24 hours), it denies the login regardless of
> the validity of the username/password pair.  If it comes back good, and
> the local host determines that login is invalid, it submits that failure
> to the database.  That's it.  Probably the same or even less overhead that
> either side sees in the submission of a comment for analysis today.
It's clear I was not understanding. This proposal is more interesting, and
something I'd like to help with. This is something I've thought about doing
in house as well, plus we had a discussion about this with Dre at the WP
Summit. With their cloud proxy, they'd definitely be in a good position to
have this information at a scale much greater than us.

Sending the ip address to a clearing house after the first failure would be
simple, with the wp_login_failed action.. what we do after that is up for

I don't have a ton of experience with the akismet API but I'll experiment


Obviously, we can't assume Automattic will take up the cause and do this,
but we can start small. :).

> Surely the number of logins to all WP sites cannot be anywhere near the
> number of spam comments submitted to Akismet.  Even if it were, this
> problem (unauthorized access to WP sites) is at least as much of a threat
> to the health of the WP community as the spam problem was -- before
> Automattic essentially solved it.

Definitely intriguing, something we'll need to put some more thought cycles

More information about the wp-hackers mailing list