[wp-hackers] Limit Login Attempts

Nicholas Ciske nl at thoughtrefinery.com
Mon Apr 22 15:55:31 UTC 2013


I'm curious if you've done any load testing with this?

Seems like it could (initially) make attacks impose a worse performance penalty due to the number of remote calls (and you'd be hammering your central server), not to mention the possibility of adding thousands of transients to the WP database (which could hammer a shared database server pretty hard)?

What happens if the API server fails (or takes a long time to respond) -- would I be able to log into my site?

Nick Ciske

On Apr 22, 2013, at 8:50 AM, Sam Hotchkiss wrote:

> FWIW, this thread inspired me to come up with a solution:
> http://wordpress.org/extend/plugins/bruteprotect/
> Failed login attempts get logged into a central repository, if any single IP fails to log in 10 times in 1 hour to ANY site or combination of sites with this plugin installed, it blocks any login attempts to any installed site from that IP for 1 hour.  Subsequent bans on that IP are held for longer (20 fails in 24 hours = a 4 hour ban, 30 fails in 48 hours = a 12 hour ban, etc).  The next update will allow a user to lift their ban once in a 24 hour period by completing a re-captcha. 
> The idea being that, if we can get enough sites with the plugin installed, we can effectively neutralize the multiple-IP attack.
> Obviously, this is not as ideal as complete host-level protection, but it's a whole lot easier...
> -- 
> Sam Hotchkiss :: Principal / Senior Web Developer
> Hotchkiss Consulting Group

More information about the wp-hackers mailing list