[wp-trac] [WordPress Trac] #24193: Anti brute force protection

WordPress Trac noreply at wordpress.org
Thu Apr 25 21:34:15 UTC 2013 

#24193: Anti brute force protection
-------------------------+------------------------------
 Reporter:  MAzZY        |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Users        |     Version:  3.5.1
 Severity:  normal       |  Resolution:
 Keywords:               |
-------------------------+------------------------------

Comment (by knutsp):

 I'm afraid that a PHP sleep for some seconds is out of the question for
 core. It could very easy bring down servers due to overload. At least I
 fear that.

 A captcha, while quite bad and hated, after n failed attempts on same user
 and IP, could be an acceptable solution.

 We should then make a plugin as "proof of concept". It should have no
 options, but hooks so it's behaviour can be modified by (other) plugins.

 A good, simple, clean, well-written plugin may have a chance of being
 accepted for core consideration.

 1. Must not consume a lot of resources, especially under an attack
 2. Must have neglectible impact when logging the failed login attempts
 3. Must never lock out legitimate users
 4. Must not let anyone making trouble for other users
 5. May be differentiate between users that have a strong password and
 those who have not
 6. Should provide fallbacks or options for other login plugins like
 "Sidebar Login"

 We must not forget that WordPress has millions of installations, mostly on
 shared hosting, and we have big multisites. A core thing will be the
 default for all. In times of attacks it must not make things worse, and it
 can easily do so.

 I'm willing to contribute to such a plugin if we reach consensus on how it
 should work. Comments from core developers would be very useful.

 But in making a plugin, there is a chanche it will have to stay as "yet
 another login security plugin", and the whole thing regarded as "plugin
 territory".

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/24193#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list