[wp-hackers] Admin Login Brute Force Attacks (Revisited)
Dion Hulse (dd32)
wordpress at dd32.id.au
Fri May 17 15:17:28 UTC 2013
I've done similar stuff in wp-config.php before, a specific bot was hitting
my site rather heavily, so I added a if ( user_agent ) die(); check to the
top of wp-config.php..
I'd just add the same here:
if ( isset( $_POST['log'] ) && 'admin' == substr( $_POST['log'], 0, 5 ) )
(Assuming the username field is 'log')
On 17 May 2013 10:08, Bryan Spahr <bryanspahr at gmail.com> wrote:
> For performance[*], I would like to be able to reject any login attempt
> where _POST['log'} begins with 'admin', and to do it at the earliest
> moment, to minimize the load on my server.
> Is login_form_login a reasonable place for this kind of check? Or is there
> an earlier hook that would cause less load on the server?
> And what is the best way to "die" in this case - exit? die? redirect?
> [*] This is NOT intended as a security measure. I have taken all
> necessary and
> reasonable precautions to prevent someone from breaking in to any of the
> I host. I'm looking to mitigate the resource usage caused by bots trying
> log in as admin, or adminadmin, or administrator which is what I'm seeing
> have been seeing for the past few months.
> > On Wed, Mar 20, 2013 at 6:10 PM, Chip Bennett <chip at chipbennett.net <
> http://lists.automattic.com/mailman/listinfo/wp-hackers>> wrote:
> > >* Also: I keep the "admin" account - reduced to the "subscriber" role.
> It*> >* makes for a great honeypot.*>
> > Totally unnecessary. I have no "admin" account at all on my site. I
> > get the Limit Login Attempts email 8-12 times a day regardless. All
> > "admin" attempts.
> > -Otto
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers