[wp-hackers] Admin Login Brute Force Attacks (Revisited)

Bryan Spahr bryanspahr at gmail.com
Fri May 17 15:08:53 UTC 2013

For performance[*], I would like to be able to reject any login attempt
where _POST['log'} begins with 'admin', and to do it at the earliest possible
moment, to minimize the load on my server.

Is login_form_login a reasonable place for this kind of check?  Or is there
an earlier hook that would cause less load on the server?

And what is the best way to "die" in this case - exit? die? redirect?


[*] This is NOT intended as a security measure.  I have taken all necessary and
reasonable precautions to prevent someone from breaking in to any of the sites
I host.  I'm looking to mitigate the resource usage caused by bots trying to
log in as admin, or adminadmin, or administrator which is what I'm seeing and
have been seeing for the past few months.

> On Wed, Mar 20, 2013 at 6:10 PM, Chip Bennett <chip at chipbennett.net <http://lists.automattic.com/mailman/listinfo/wp-hackers>> wrote:
> >* Also: I keep the "admin" account - reduced to the "subscriber" role. It*> >* makes for a great honeypot.*>
> Totally unnecessary. I have no "admin" account at all on my site. I
> get the Limit Login Attempts email 8-12 times a day regardless. All
> "admin" attempts.
> -Otto

More information about the wp-hackers mailing list