[wp-hackers] Securing Wordpress Login
Brian Layman
Brian at TheCodeCave.com
Mon Aug 21 13:52:06 GMT 2006
>Another option would be to have WordPress reset the user's password after
>X number of failed login attempts.
I've always thought that this leads to a great attack vector: Invalidating a
small percentage of users passwords every other day. Annoying the
membership of a site, rather than the site itself, could accomplish more
than a 1 time brute force break in with a lot less effort.
Personally, I'd rather not see "retries" in the core, at least not on by
default. I would advocate a "strong password" option that just checks for
length, and three out of the following four categories, when the password is
chosen:
1. Upper case letters
2. Lower case letters
3. Numbers
4. Symbols/punctuation
Is the login screen pluggable? I've never looked...
More information about the wp-hackers
mailing list