[wp-hackers] Limit Login Attempts

Sam Hotchkiss sam at hotchkissconsulting.net
Wed Apr 24 11:50:56 UTC 2013

On Monday, April 22, 2013 at 11:55 AM, Nicholas Ciske wrote:

> I'm curious if you've done any load testing with this?

Hi Nick-- I've done some load testing, and it's hosted on a server that I can quickly scale up if need be.
> Seems like it could (initially) make attacks impose a worse performance penalty due to the number of remote calls (and you'd be hammering your central server), not to mention the possibility of adding thousands of transients to the WP database (which could hammer a shared database server pretty hard)?

This is an interesting question-- I have seen plugins add tens (or even hundreds) of thousands of rows to the DB.  Would it be preferable, from a best practices perspective, to use a separate table?  It seems like it would be more efficient, but not the "WordPress way"
> What happens if the API server fails (or takes a long time to respond) -- would I be able to log into my site?

Currently, when the API fails, the plugin allow login, however, keep in mind that once an IP is blocked, it is no longer necessary to check in against the remote server.  An upcoming update will integrate standalone functionality, so, if the API server is unreachable, we will add a CAPTCHA to login until the server comes back online.

Sam Hotchkiss :: Principal / Senior Web Developer
Hotchkiss Consulting Group
P: 207.200.4314 :: F: 207.209.1365
E-mail: sam at hotchkissconsulting.com (mailto:sam at hotchkissconsulting.com)
Google Talk: sam at hotchkissconsulting.com (mailto:sam at hotchkissconsulting.com)
Skype: hotchkiss.consulting

More information about the wp-hackers mailing list