[wp-hackers] Limit Login Attempts

Nicholas Ciske nl at thoughtrefinery.com
Tue Apr 23 14:35:23 UTC 2013

But it's not just logging them, it's waiting up to 15 seconds for an API response to see if that IP is blocked before allowing/denying login.

That means it's tying up a connection (or dozens if you're getting hit by many IPs at once) on your server which means those connections are not available for a legitimate user.

A sub-second response of "bad password" vs up to 15 seconds to ban an IP could quickly tie up a smaller server's connection pool (if the central server is getting hammered and responding slowly).

Not saying it'd happen, but without testing, this plugin could quickly take a shared server offline for hours during an attack. Hence my question as it it it had been tested under load before I go installing it across dozens of my sites.

If API calls were asynchronous (e.g. it simply pings the central server but then carries on as usual, and the central server pings back a blacklist response later (via a webhook, at a reasonable interval) to return all known bad IPs) that would seem to be much more performant (fewer HTTP connections at the expense of allowing a few password attempts through, which would be blocked by a strong password).

Nick Ciske

On Apr 22, 2013, at 4:11 PM, Chris Williams wrote:

> If he's only logging failed login attempts, I would think a) it wouldn't
> harm you performing a valid login (since that wouldn't be logged), and b)
> a delay in response to a failed login would be a good thing...  Slow those
> puppies down.

More information about the wp-hackers mailing list