[wp-hackers] WordPress can "leak" if a username is valid

Otto otto at ottodestruct.com
Mon Feb 18 21:52:37 GMT 2008


On Feb 18, 2008 3:19 PM, James Davis <james at freecharity.org.uk> wrote:
> I'm not disagreeing with how these tickets should be closed but you've
> not illustrated why a brute force attack against WordPress is different
> to a brute force attack against SSH and why they shouldn't be afforded
> the same protective measures.

I can repeatedly send password attacks to an SSH server very fast
without it being particularly impacted by it.

Hitting a WordPress server very fast would either a) have a very long
round trip time or b) bring down the server due to the sudden high
amount of database activity.

A webpage is slower than SSH.

> (I'm not sure that blocking IPs is such a great idea - probably left to
> a plugin.)

Agreed, just pointing out that the solution to a brute force threat is
straightforward. Making error messages less verbose and useful doesn't
solve any real problems.

-Otto


More information about the wp-hackers mailing list