[wp-hackers] Limit Login Attempts

Daniel Dvorkin elrabino at gmail.com
Tue Apr 16 20:11:10 UTC 2013 

Wondering what the effects would be of after N general failed login
attempts (regardless of username or ip)  adding a captcha field (to
everyone) for M min.



---------------------
Daniel Dvorkin
Móvil: +54 (0261) 15-315-2244
Skype: mzaweb
http://mzaweb.com



On Tue, Apr 16, 2013 at 5:07 PM, Marko Heijnen <mailing at markoheijnen.nl>wrote:

> Awesome Vid for your reaction. Hosting companies like yours does help to
> have insights in this kind of things.
>
> I do like point 2 in a way. I did copy/paste the list from WP Engine and
> modify it to nginx rules. And 90.000 IP's doesn't work but blocking the top
> 50 does help.
> For 3 it can be more feasible if you only do that for wp-login.php but I
> do get what you mean. It's a pain.
>
> I'm not sure what the code is behind 2 factor authentication but it's
> doesn't seem feasible for the regular website's but yes on the bigger sites
> it is the way to go.
>
> Marko
>
>
> Op 16 apr. 2013, om 21:56 heeft Vid Luther <vid at zippykid.com> het
> volgende geschreven:
>
> > As a hosting provider, here's our take on things.. we'd love your
> feedback.
> >
> > 1. Having dictionary based passwords is a very good way to get in, these
> > bots can sometimes guess the right password on the first hit, if that
> > happens, a "brute force detector" is useless.
> >
> > 2. In theory, as a hosting provider, we would love a way to share the
> > offending ips across our sites and with other providers. Maintaining the
> > accuracy of this list is daunting, and something we're understaffed to
> do.
> >
> > 3. Blocking 90,000 ips is not feasible. Currently we're handling 250,000
> > connections/second. Each connection being pre-approved will kill our edge
> > devices. Now, compare that to Automattic, or the larger providers like
> > Hostgator/GoDaddy etc.. it's just something that's not feasible.
> >
> > 4. We don't use apache, so all these plugins that use .htaccess are
> useless
> > on our systems.
> >
> >
> > I personally think 2 factor authentication is where we need to move. It's
> > going to be a pain to educate the layman about it, but it is possible,
> and
> > we should. The websites we host at zippyKid are business websites, most
> of
> > these businesses deploy an alarm on premise, why they wouldn't or
> shouldn't
> > on their own website is beyond me. Trying to make WordPress login more
> > "secure" is pointless. We need to make more educated users.
> >
> >
> >
> >
> > On Tue, Apr 16, 2013 at 2:37 PM, William P. Davis <will.davis at gmail.com
> >wrote:
> >
> >> +1 for something that immediately regards user as suspicious if they're
> >> probing an admin user that doesn't exist.
> >> Sent from my BlackBerry
> >>
> >> -----Original Message-----
> >> From: Abdussamad Abdurrazzaq <abdussamad at abdussamad.com>
> >> Sender: wp-hackers-bounces at lists.automattic.com
> >> Date: Wed, 17 Apr 2013 00:25:03
> >> To: <wp-hackers at lists.automattic.com>
> >> Reply-To: wp-hackers at lists.automattic.com
> >> Subject: Re: [wp-hackers] Limit Login Attempts
> >>
> >> Delaying response times would lock up Apache processes that could be
> >> used to serve other requests. It is likely to back fire on you.
> >>
> >> On 16/04/13 23:12, Doug Smith wrote:
> >>> I like the approach of the Login Security Solution plugin in the way it
> >> enforces strong passwords and attempts to track both IPs and logins
> then do
> >> blocking, delays, and password resets.
> >>> http://wordpress.org/extend/plugins/login-security-solution/
> >>>
> >>> This particular distributed attack is mostly probing the user name
> >> "admin". It would seem that if a user with that name does not exist
> (since
> >> it's no longer a default) then the attempt could instantly be treated in
> >> the way the Login Security Solution plugin does but without waiting for
> >> repeated attempts. The delays would at least slow the attempts looking
> for
> >> an "admin" user.
> >>>
> >>> Doug
> >>>
> >>> On Apr 16, 2013, at 10:39 AM,
> wp-hackers-request at lists.automattic.comwrote:
> >>>
> >>>> Message: 5
> >>>> Date: Tue, 16 Apr 2013 11:39:48 -0400
> >>>> From: Chip Bennett <chip at chipbennett.net>
> >>>> Subject: Re: [wp-hackers] Limit Login Attempts
> >>>> To: "[wp-hackers]" <wp-hackers at lists.automattic.com>
> >>>> Message-ID:
> >>>>     <CAPdLKqd21azx7AA68mTgZ=r=AcoaXyZ+HAMri+pSjVn-jMS0=
> >> Q at mail.gmail.com>
> >>>> Content-Type: text/plain; charset=ISO-8859-1
> >>>>
> >>>> "Does that overlook something important?"
> >>>>
> >>>> Well, unless you whitelist your own IP address to bypass the login
> >> lockout,
> >>>> then if the brute-force attack attacks your actual username, you could
> >> find
> >>>> yourself locked out of your own site.
> >>>>
> >>>> Another solution is to .htaccess whitelist your own IP address for
> >>>> wp-login.php, but that may not exactly be a low-maintenance solution
> >>>> (dynamic IP addresses, logging in from multiple locations/IP
> >>>> addresses/devices, etc.).
> >>>>
> >>>>
> >>>> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
> >>>> <onlyunusedname at gmail.com>wrote:
> >>>>
> >>>>> I've been using something similar to what Jesse describes: limiting
> >>>>> attempts based on username so that I may disregard IP.  Does that
> >> overlook
> >>>>> something important?
> >>>
> >>> --
> >>> Doug Smith: doug at smithsrus.com
> >>> http://smithsrus.com
> >>>
> >>> _______________________________________________
> >>> wp-hackers mailing list
> >>> wp-hackers at lists.automattic.com
> >>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >
> >
> >
> > --
> > Vid Luther
> > CEO and Founder
> > ZippyKid
> > Managed Wordpress Hosting
> > http://zippykid.com/
> > 210-789-0369
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list