[wp-hackers] Admin Login Brute Force Attacks (Revisited)

Harry Metcalfe harry at dxw.com
Fri May 17 15:42:04 UTC 2013

I'd recommend using something like Varnish or nginx to do this - so that 
the requests never even get to Apache.


On 17/05/13 16:08, Bryan Spahr wrote:
> For performance[*], I would like to be able to reject any login attempt
> where _POST['log'} begins with 'admin', and to do it at the earliest possible
> moment, to minimize the load on my server.
> Is login_form_login a reasonable place for this kind of check?  Or is there
> an earlier hook that would cause less load on the server?
> And what is the best way to "die" in this case - exit? die? redirect?
> Thanks,
> Bryan
> [*] This is NOT intended as a security measure.  I have taken all necessary and
> reasonable precautions to prevent someone from breaking in to any of the sites
> I host.  I'm looking to mitigate the resource usage caused by bots trying to
> log in as admin, or adminadmin, or administrator which is what I'm seeing and
> have been seeing for the past few months.
>> On Wed, Mar 20, 2013 at 6:10 PM, Chip Bennett <chip at chipbennett.net <http://lists.automattic.com/mailman/listinfo/wp-hackers>> wrote:
>>> * Also: I keep the "admin" account - reduced to the "subscriber" role. It*> >* makes for a great honeypot.*>
>> Totally unnecessary. I have no "admin" account at all on my site. I
>> get the Limit Login Attempts email 8-12 times a day regardless. All
>> "admin" attempts.
>> -Otto
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list