[wp-trac] [WordPress Trac] #25810: Add nonce to wp-login.php
WordPress Trac
noreply at wordpress.org
Mon Nov 4 00:58:36 UTC 2013
#25810: Add nonce to wp-login.php
-----------------------------+----------------------
Reporter: strangerstudios | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Security | Version:
Severity: normal | Resolution: invalid
Keywords: |
-----------------------------+----------------------
Changes (by bpetty):
* keywords: dev-feedback =>
* status: new => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Comment:
Nonce values are designed to protect against [http://en.wikipedia.org/wiki
/Cross-site_request_forgery CSRF] and replay attacks, and they rely
heavily on an authenticated user to provide unique nonce values (not just
based on time).
They are not designed to protect against (unauthenticated) brute force
requests. Even given your shortened 30 minutes, bots would simply make
another request for a valid nonce to continue brute force attacks for the
next 30 minutes (assuming the first 30 wasn't enough already).
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25810#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list