[wp-hackers] Limit Login Attempts

Sam Hotchkiss sam at hotchkissconsulting.net
Mon Apr 22 13:50:27 UTC 2013

FWIW, this thread inspired me to come up with a solution:


Failed login attempts get logged into a central repository, if any single IP fails to log in 10 times in 1 hour to ANY site or combination of sites with this plugin installed, it blocks any login attempts to any installed site from that IP for 1 hour.  Subsequent bans on that IP are held for longer (20 fails in 24 hours = a 4 hour ban, 30 fails in 48 hours = a 12 hour ban, etc).  The next update will allow a user to lift their ban once in a 24 hour period by completing a re-captcha. 

The idea being that, if we can get enough sites with the plugin installed, we can effectively neutralize the multiple-IP attack.

Obviously, this is not as ideal as complete host-level protection, but it's a whole lot easier...

Sam Hotchkiss :: Principal / Senior Web Developer
Hotchkiss Consulting Group
P: 207.200.4314 :: F: 207.209.1365
E-mail: sam at hotchkissconsulting.com (mailto:sam at hotchkissconsulting.com)
Google Talk: sam at hotchkissconsulting.com (mailto:sam at hotchkissconsulting.com)
Skype: hotchkiss.consulting

On Tuesday, April 16, 2013 at 1:53 PM, Chris Williams wrote:

> Since everyone seems to want to make the perfect the enemy of the good, I
> have an alternative proposal.
> When spam threatened the very existence of WP years ago, Automattic rose
> to the occasion and created Akismet. Between it and Bad Behavior, I see
> essentially zero uncaught spam. They did a great job, providing a
> centralized solution against a decentralized attack vector, and it works
> great.
> In this case, what if each failed login attempt was logged (on
> Automattic's servers like Akismet), and if more than X are seen in a given
> time period (even a huge number like 25/day?) from ANY WP site that IP is
> logged, and prevented from logging in on any WP site that participates in
> the program. Perhaps it is even added to generally available blacklists,
> so that things like Bad Behavior can stop it earlier. Sure, since it
> phone's home, this would have to be a plugin so participation can be
> voluntary, but within a few days, this bot would be killed.
> As a community, I fail to believe our only defense against this is for
> each of us to build our own TSA at our own WP site. Especially by simply
> using the power of millions of WP sites sharing information we can stop it
> in its tracks.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com (mailto:wp-hackers at lists.automattic.com)
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list