[wp-hackers] Limit Login Attempts

onlyunusedname onlyunusedname at gmail.com
Tue Apr 16 16:13:52 UTC 2013


I'm very interested in doing this correctly and isn't quite my area of
expertise.  Are the people who are disagreeing with Chris Williams original
suggestion saying something to the effect of:  "WordPress is not the level
at which to be addressing this problem.  Brute force is a security problem
and a resource/performance problem.  The security problem is fairly easy to
solve without changes to core.  The resource/performance problem needs to
be solved before WordPress core ever gets loaded."  Is that a correct
understanding?


On Tue, Apr 16, 2013 at 12:02 PM, Michael Donaghy <mike at donaghy.biz> wrote:

> That's what cloudflare does. I'd suggest using cloudflare to most wordpress
> installs out there.
>
> For other reasons, cloudflare isn't a viable solution for my environment.
>
> On Tue, Apr 16, 2013 at 11:59 AM, David Anderson <david at wordshell.net
> >wrote:
>
> > With the present attacks, per-IP blocks are not necessarily effective,
> > because the attackers have vast numbers of IPs.
> >
> > The attack is distributed. So why shouldn't we build a distributed
> defence?
> >
> > Produce a plugin that, before allowing login, verifies the connecting IP
> > against a source in the cloud. All that's needed is someone to provide
> that
> > source in the cloud. "Dear cloud - what do you think of that IP" "Well,
> > that IP has had A failed logins on B different WordPress sites in C
> > different countries in the last D minutes" (tweak accordingly to have a
> > sensible algorithm, etc.).
> >
> > That's a gap in the market for someone to earn some community credit, or
> > money, from.
> >
> > David
> >
> >  --
> >> WordShell - WordPress fast from the CLI - www.wordshell.net
> >>
> > ______________________________**_________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> > http://lists.automattic.com/**mailman/listinfo/wp-hackers<
> http://lists.automattic.com/mailman/listinfo/wp-hackers>
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list