[wp-hackers] Securing Wordpress Login
hovercrafter at earthlink.net
Mon Aug 21 14:33:56 GMT 2006
> It took me a while to find it, but this was discussed in this list before.
> This large thread had quite a few solutions proposed, but I don't
> think any was incorporated into the release (2.0) at the end.
I'll take a look through that. Thanks for digging it up.
> Upon first inspection, this would raise concerns among the blind (see
Actually the sites I have done this on, this is not a concern. The only
people who login are people who write for the sites. I can see where this
would be a concern on a larger/open audience though. I also try to go with
high contrast CAPTCHA's that use larger point sizes and don't warp/rotate
the letters at all (like many of the other captcha systems do). This makes
it more open to OCR, but I doubt that is as much of a concern.
>The one issue with this is that it opens the system to
>account-targetted vandalism. Someone can affect one's
>account and cause great inconvenience. Since It's not a
>brute-force-type attack, it will probably be less tolerable
>then DDOS attacks on the login page, which at the very worst
>lead to problems in the database or bring down the server.
>You wouldn't want Senator Gore with his 20-buck-a-month
>hosting relying on this... *LOL*
That's why I was figuring something like after 5 failed attempts; Wordpress
changes the password using the default password generator (which is actually
decent). After they hit that magic number, the password would only change
once (instead of someone doing 10,000 login attempts and that person ending
up with 2,000 password emails LOL). The other option would be to email some
sort of activation link, but then you get into the problem of the email not
going through (something rather common on crappy shared hosting).
And actually that was Senator Lieberman on his $15/month shared hosting that
was actually coming off a reseller account with 73 other sites on a single
server and wondering why it went down after a night of running two-minute
television ads with his URL at the bottom LOL.
More information about the wp-hackers