[wp-hackers] Limit Login Attempts

Marko Heijnen mailing at markoheijnen.nl
Tue Apr 16 15:46:05 UTC 2013 

The only thing that makes sense to have in core is checking the password strength and not having the username 'admin' pre filled. Not that I think it helps much but it doesn't hurt.

Protecting against a DDOS attack depends on the type of attack. So locking down an account can be seen as stupid since it will lock you out when you want to blog.
But it can be useful like now for a short period. I however added an IP check now that allows me to login from home only. What also make sense for now and probably later add a role check in it.

I do block IP's but as said they can change easily. So it does work a little. That is also why I don't think limiting login attempts should be a core feature.
It just does too little when someone really wants to get in. if you got a password with 32 chars you are safe for now.

The most important thing to do is changing your password often, don't blog with an administrator user (finding out the username), update WP, plugins and theme and reading blogs about it.
The overreacting now on the username 'admin' and changing that doesn't improve your site much. It depends on what kind of password you have.

Also what everyone seems to forget is that protecting your server is maybe even more important. Most attempts on my server that I know about are trying to login to my SSH.
Another thing is that sites from clients that got hacked was not because of the site but that someone had a virus on their pc.

Marko

Op 16 apr. 2013, om 17:39 heeft Chip Bennett <chip at chipbennett.net> het volgende geschreven:

> "Does that overlook something important?"
> 
> Well, unless you whitelist your own IP address to bypass the login lockout,
> then if the brute-force attack attacks your actual username, you could find
> yourself locked out of your own site.
> 
> Another solution is to .htaccess whitelist your own IP address for
> wp-login.php, but that may not exactly be a low-maintenance solution
> (dynamic IP addresses, logging in from multiple locations/IP
> addresses/devices, etc.).
> 
> 
> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
> <onlyunusedname at gmail.com>wrote:
> 
>> I've been using something similar to what Jesse describes: limiting
>> attempts based on username so that I may disregard IP.  Does that overlook
>> something important?
>> 
>> 
>> On Tue, Apr 16, 2013 at 11:30 AM, Tom Barrett <tcbarrett at gmail.com> wrote:
>> 
>>> Is there any way to set up a collective pool, a global 'limit login
>>> attempts blacklist'?
>>> 
>>> 
>>> On 16 April 2013 16:25, Chip Bennett <chip at chipbennett.net> wrote:
>>> 
>>>> I agree that Limit Login Attempts is useful, and does block single-IP
>>>> brute-force attacks. (I use, and love, Limit Login Attempts.)
>>>> 
>>>> But this particular botnet has demonstrated the ability to vary the IP
>>>> address used to brute-force a given site. That behavior, IIRC, has been
>>>> observed in the wild.
>>>> 
>>>> My caution in adding Limit Login Attempts to core in response to this
>>>> attack is that it would give a false sense of security, WRT both
>>>> brute-force login attempts and DDoS.
>>>> 
>>>> 
>>>> On Tue, Apr 16, 2013 at 11:14 AM, Chris Williams <chris at clwill.com>
>>> wrote:
>>>> 
>>>>> Because if you only allow each IP four (Five? Six?) login attempts
>> per
>>>>> day, you essentially stop them all.
>>>>> 
>>>>> In my log analysis, it's not the case that each IP only makes a few
>>>>> attempts.  They try hundreds/thousands. Now they are hitting my
>> block,
>>>>> which requires a block of four attempts four times (16 total hits in
>> a
>>>> one
>>>>> day period).
>>>>> 
>>>>> If you look at the analysis on this, it all says something like "at
>>> 1000
>>>>> attempts/minute it takes only N days to crack your short password".
>>>> Well,
>>>>> at 4 attempts/day, that number becomes millennia.
>>>>> 
>>>>> More to the point, why NOT do this?  It doesn't require everyone to
>>>> change
>>>>> their password.  It doesn¹t require everyone to remove the "admin"
>>>>> account. It doesn't require any changes at all, yet helps protect
>> even
>>>> the
>>>>> most lax of password choosers.
>>>>> 
>>>>> On 4/16/13 7:53 AM, "Chip Bennett" <chip at chipbennett.net> wrote:
>>>>> 
>>>>>> If 90,000 unique IP addresses are attempting a brute-force attack,
>> in
>>>>>> which
>>>>>> no single IP address makes more than a handful of attempts, how
>>>> effective
>>>>>> will it be to limit login attempts by IP address?
>>>>>> 
>>>>>> I would support the inclusion of Limit Login Attempts in core, based
>>> on
>>>>>> its
>>>>>> utility; however, it won't do any particular good in dealing with
>> the
>>>> full
>>>>>> potential of the current attack.
>>>>>> 
>>>>>> 
>>>>>> On Tue, Apr 16, 2013 at 10:36 AM, Chris Williams <chris at clwill.com>
>>>>> wrote:
>>>>>> 
>>>>>>> I made a rather reasonable proposal, and received plenty of
>> advice,
>>>> but
>>>>>>> the proposal never was vetted.  Now the issue of brute force
>> attacks
>>>> has
>>>>>>> even received Matt's attention:
>>>>>>> http://ma.tt/2013/04/passwords-and-brute-force/
>>>>>>> 
>>>>>>> On the dozen or so WP sites I manage, wp-login.php is frequently
>>> among
>>>>>>> the
>>>>>>> top 10 most often accessed pages.  Yes, I have removed the admin
>>>>>>> account.
>>>>>>> Yes, I have robust passwords.  Yes, I have plugins to help.
>> Yes, I
>>>> am
>>>>>>> playing whack-a-mole and blocking the IPs one-by-one.  But brute
>>> force
>>>>>>> attempts to login are happening at an alarming rate.
>>>>>>> 
>>>>>>> Wordpress should include login attempt limiting as part of core:
>>>>>>> 
>>>>>>> *   Logging into WP is a core feature
>>>>>>> *   Usernames and passwords are a core part of WP security
>>>>>>> *   Password strength metering is a core feature
>>>>>>> *   Limiting guesses is a key way to defend against brute force
>>>> attacks
>>>>>>> 
>>>>>>> Is this the end-all-be-all to WP security?  No, of course not.
>>>>>>> 
>>>>>>> But much of WP security depends on not being able to get access to
>>>>>>> privileged accounts.  And limiting login attempts is a simple,
>>>>>>> straightforward, non-invasive way to dramatically improve that
>>>> security.
>>>>>>> It has almost no impact on the good guys and virtually
>> eliminates a
>>>>>>> common
>>>>>>> exploit path.
>>>>>>> 
>>>>>>> Not every WP site allows comments, so having Akismet a plugin
>> makes
>>>>>>> sense.
>>>>>>> Many other other plugins make sense as plugins.  But logging into
>>> WP
>>>>>>> is an
>>>>>>> essential facility.
>>>>>>> 
>>>>>>> Limiting login attempts should be part of core.
>>>>>>> 
>>>>>>> Chris
>>>>>>> _______________________________________________
>>>>>>> wp-hackers mailing list
>>>>>>> wp-hackers at lists.automattic.com
>>>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>>>> 
>>>>>> _______________________________________________
>>>>>> wp-hackers mailing list
>>>>>> wp-hackers at lists.automattic.com
>>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>> 
>>>>> _______________________________________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.com
>>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>>> 
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> http://www.tcbarrett.com | http://gplus.to/tcbarrett |
>>> http://twitter.com/tcbarrett
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>> 
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list