[wp-hackers] Limit Login Attempts

Chris Williams chris at clwill.com
Tue Apr 23 22:57:32 UTC 2013

All good points.

On 4/23/13 7:35 AM, "Nicholas Ciske" <nl at thoughtrefinery.com> wrote:

>But it's not just logging them, it's waiting up to 15 seconds for an API
>response to see if that IP is blocked before allowing/denying login.
>That means it's tying up a connection (or dozens if you're getting hit by
>many IPs at once) on your server which means those connections are not
>available for a legitimate user.
>A sub-second response of "bad password" vs up to 15 seconds to ban an IP
>could quickly tie up a smaller server's connection pool (if the central
>server is getting hammered and responding slowly).
>Not saying it'd happen, but without testing, this plugin could quickly
>take a shared server offline for hours during an attack. Hence my
>question as it it it had been tested under load before I go installing it
>across dozens of my sites.
>If API calls were asynchronous (e.g. it simply pings the central server
>but then carries on as usual, and the central server pings back a
>blacklist response later (via a webhook, at a reasonable interval) to
>return all known bad IPs) that would seem to be much more performant
>(fewer HTTP connections at the expense of allowing a few password
>attempts through, which would be blocked by a strong password).

More information about the wp-hackers mailing list