[wp-hackers] Limit Login Attempts

Chris Williams chris at clwill.com
Wed Apr 17 15:30:39 UTC 2013


I firmly believe that leveraging the information gathered by 60+ million
WP sites can defend us against botnets that are a tiny fraction of that
size.  Just as it has for the issue of spam.

>So, given these two facts:
> * The bot can succeed if you have a weak password
> * The bot can't succeed if you have a strong password

The definition of the term "strong" is just the foothold of an arms race.
How strong is strong enough?

Overall, it seems imbalanced that we would be advocating the changing of
literally hundreds of millions of username/password pairs by millions of
people as the solution to any problem.  We can't insure/enforce this in
any way.  Even with the changes you are advocating, what percentage of
users will follow suit?  10%?  20%?  That leaves literally tens of
millions of sites for the attackers.

But... A central service, with a view of this problem across the world,
can make a huge difference.



More information about the wp-hackers mailing list