[wp-hackers] Limit Login Attempts

Chris Williams chris at clwill.com
Mon Apr 22 21:11:18 UTC 2013

If he's only logging failed login attempts, I would think a) it wouldn't
harm you performing a valid login (since that wouldn't be logged), and b)
a delay in response to a failed login would be a good thing...  Slow those
puppies down.

On 4/22/13 8:55 AM, "Nicholas Ciske" <nl at thoughtrefinery.com> wrote:

>I'm curious if you've done any load testing with this?
>Seems like it could (initially) make attacks impose a worse performance
>penalty due to the number of remote calls (and you'd be hammering your
>central server), not to mention the possibility of adding thousands of
>transients to the WP database (which could hammer a shared database
>server pretty hard)?
>What happens if the API server fails (or takes a long time to respond) --
>would I be able to log into my site?
>Nick Ciske
>On Apr 22, 2013, at 8:50 AM, Sam Hotchkiss wrote:
>> FWIW, this thread inspired me to come up with a solution:
>> http://wordpress.org/extend/plugins/bruteprotect/
>> Failed login attempts get logged into a central repository, if any
>>single IP fails to log in 10 times in 1 hour to ANY site or combination
>>of sites with this plugin installed, it blocks any login attempts to any
>>installed site from that IP for 1 hour.  Subsequent bans on that IP are
>>held for longer (20 fails in 24 hours = a 4 hour ban, 30 fails in 48
>>hours = a 12 hour ban, etc).  The next update will allow a user to lift
>>their ban once in a 24 hour period by completing a re-captcha.
>> The idea being that, if we can get enough sites with the plugin
>>installed, we can effectively neutralize the multiple-IP attack.
>> Obviously, this is not as ideal as complete host-level protection, but
>>it's a whole lot easier...
>> -- 
>> Sam Hotchkiss :: Principal / Senior Web Developer
>> Hotchkiss Consulting Group
>wp-hackers mailing list
>wp-hackers at lists.automattic.com

More information about the wp-hackers mailing list