[wp-hackers] Limit Login Attempts
vid at zippykid.com
Wed Apr 17 00:36:52 UTC 2013
On Tue, Apr 16, 2013 at 7:12 PM, Chris Williams <chris at clwill.com> wrote:
> Again, I'm not sure you're understanding. I'm advocating a system where
> the plugin, upon submission of a login form, checks it against an
> Automattic database. If it comes back bad (e.g., this IP has made 25 bad
> login attempts in the last 24 hours), it denies the login regardless of
> the validity of the username/password pair. If it comes back good, and
> the local host determines that login is invalid, it submits that failure
> to the database. That's it. Probably the same or even less overhead that
> either side sees in the submission of a comment for analysis today.
It's clear I was not understanding. This proposal is more interesting, and
something I'd like to help with. This is something I've thought about doing
in house as well, plus we had a discussion about this with Dre at the WP
Summit. With their cloud proxy, they'd definitely be in a good position to
have this information at a scale much greater than us.
Sending the ip address to a clearing house after the first failure would be
simple, with the wp_login_failed action.. what we do after that is up for
I don't have a ton of experience with the akismet API but I'll experiment
Obviously, we can't assume Automattic will take up the cause and do this,
but we can start small. :).
> Surely the number of logins to all WP sites cannot be anywhere near the
> number of spam comments submitted to Akismet. Even if it were, this
> problem (unauthorized access to WP sites) is at least as much of a threat
> to the health of the WP community as the spam problem was -- before
> Automattic essentially solved it.
Definitely intriguing, something we'll need to put some more thought cycles
More information about the wp-hackers