[wp-trac] [WordPress Trac] #24193: Anti brute force protection
WordPress Trac
noreply at wordpress.org
Tue Apr 1 03:27:38 UTC 2014
#24193: Anti brute force protection
-------------------------+-----------------------
Reporter: MAzZY | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone:
Component: Users | Version: 3.5.1
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
-------------------------+-----------------------
Comment (by nacin):
Two main problems with this:
* This would quickly balloon the options table and probably crash it. In
fact it'd be a fairly effective attack in its own right.
* It would do nothing to prevent distributed brute-force attempts. One
person with huge botnet could ''trivially'' do some serious damage with
this. You'd need to do per-user stuff, rather than per-IP.
* OK, three problems. Per-user is tough because then it'd be easy to
block a user from logging in legitimately. In fact, it'd be a fairly
effective attack in its own right.
It's really, really hard to get this right. That's why every plugin I've
seen offers a serious amount of configuration, as if a user is going to
know how to best balance legitimate attempts versus dealing with a
distributed botnet. It's a terrible, horrible user experience.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24193#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list