[wp-hackers] Admin Login Brute Force Attacks (Revisited)
Harry Metcalfe
harry at dxw.com
Fri May 17 15:42:04 UTC 2013
I'd recommend using something like Varnish or nginx to do this - so that
the requests never even get to Apache.
Harry
On 17/05/13 16:08, Bryan Spahr wrote:
> For performance[*], I would like to be able to reject any login attempt
> where _POST['log'} begins with 'admin', and to do it at the earliest possible
> moment, to minimize the load on my server.
>
> Is login_form_login a reasonable place for this kind of check? Or is there
> an earlier hook that would cause less load on the server?
>
> And what is the best way to "die" in this case - exit? die? redirect?
>
>
> Thanks,
> Bryan
>
> [*] This is NOT intended as a security measure. I have taken all necessary and
> reasonable precautions to prevent someone from breaking in to any of the sites
> I host. I'm looking to mitigate the resource usage caused by bots trying to
> log in as admin, or adminadmin, or administrator which is what I'm seeing and
> have been seeing for the past few months.
>
>
>> On Wed, Mar 20, 2013 at 6:10 PM, Chip Bennett <chip at chipbennett.net <http://lists.automattic.com/mailman/listinfo/wp-hackers>> wrote:
>>> * Also: I keep the "admin" account - reduced to the "subscriber" role. It*> >* makes for a great honeypot.*>
>> Totally unnecessary. I have no "admin" account at all on my site. I
>> get the Limit Login Attempts email 8-12 times a day regardless. All
>> "admin" attempts.
>>
>> -Otto
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list