[wp-hackers] Limit Login Attempts
chris at clwill.com
Mon Apr 22 21:11:18 UTC 2013
If he's only logging failed login attempts, I would think a) it wouldn't
harm you performing a valid login (since that wouldn't be logged), and b)
a delay in response to a failed login would be a good thing... Slow those
On 4/22/13 8:55 AM, "Nicholas Ciske" <nl at thoughtrefinery.com> wrote:
>I'm curious if you've done any load testing with this?
>Seems like it could (initially) make attacks impose a worse performance
>penalty due to the number of remote calls (and you'd be hammering your
>central server), not to mention the possibility of adding thousands of
>transients to the WP database (which could hammer a shared database
>server pretty hard)?
>What happens if the API server fails (or takes a long time to respond) --
>would I be able to log into my site?
>On Apr 22, 2013, at 8:50 AM, Sam Hotchkiss wrote:
>> FWIW, this thread inspired me to come up with a solution:
>> Failed login attempts get logged into a central repository, if any
>>single IP fails to log in 10 times in 1 hour to ANY site or combination
>>of sites with this plugin installed, it blocks any login attempts to any
>>installed site from that IP for 1 hour. Subsequent bans on that IP are
>>held for longer (20 fails in 24 hours = a 4 hour ban, 30 fails in 48
>>hours = a 12 hour ban, etc). The next update will allow a user to lift
>>their ban once in a 24 hour period by completing a re-captcha.
>> The idea being that, if we can get enough sites with the plugin
>>installed, we can effectively neutralize the multiple-IP attack.
>> Obviously, this is not as ideal as complete host-level protection, but
>>it's a whole lot easier...
>> Sam Hotchkiss :: Principal / Senior Web Developer
>> Hotchkiss Consulting Group
>wp-hackers mailing list
>wp-hackers at lists.automattic.com
More information about the wp-hackers