[wp-hackers] Limit Login Attempts

Mark Costlow cheeks at swcp.com
Wed Apr 24 23:20:18 UTC 2013

I'm interested in playing with bruteprotect -- it sounds like a good
response to the various aspects to this problem.

One of our customer sites had a related problem today.  A brute-force
attacker can learn the names of any potential admin users by sending
GET requests for /?author=N where N is a user number.  We had one
attacker this morning who sent /?author=N requests for 1..10 and
identified an admin user.  The username had the word "admin" in it,
and the user's firstname was "Admin" -- not sure which of these it
keyed on, possibly both.  It then proceeded to try brute-forcing
passwords until the limit plugin blocked him.

Seems like multiple requests for /?author=N would indicate a potential
bad guy.  Not sure what is the appropriate place to add logic to respond
to that.  For now we're addressing it "out-of-band" with fail2ban
watching web server logs, but that's imperfect.


On Wed, Apr 24, 2013 at 07:53:40AM -0400, Sam Hotchkiss wrote:
> On Monday, April 22, 2013 at 5:11 PM, Chris Williams wrote:
> > If he's only logging failed login attempts, I would think a) it wouldn't
> > harm you performing a valid login (since that wouldn't be logged), and b)
> > a delay in response to a failed login would be a good thing... Slow those
> > puppies down.
> Correct, API calls are only made:
> The first time a given IP attempts to access your login page (we check to see if it's a known attacker, if not, the IP gets whitelisted and not re-checked until they have a failed login)
> When a failed login attempt is made
> When you visit the plugin settings page (it re-verifies your API key)
> -- 
> Sam Hotchkiss :: Principal / Senior Web Developer
> Hotchkiss Consulting Group
> P: 207.200.4314 :: F: 207.209.1365
> E-mail: sam at hotchkissconsulting.com (mailto:sam at hotchkissconsulting.com)
> Google Talk: sam at hotchkissconsulting.com (mailto:sam at hotchkissconsulting.com)
> Skype: hotchkiss.consulting
> http://www.hotchkissconsulting.com/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

Mark Costlow    | Southwest Cyberport | Fax:   +1-505-232-7975
cheeks at swcp.com | Web:   www.swcp.com | Voice: +1-505-232-7992

Mail Minder - Intelligent Push Notifications for Email on the iPhone
http://mailminderapp.com/download  or in the App Store

More information about the wp-hackers mailing list