[wp-hackers] Securing Wordpress Login

Roy Schestowitz r at schestowitz.com
Mon Aug 21 14:10:36 GMT 2006 

___/ On Mon 21 Aug 2006 14:05:49 BST, [ Jamie Holly ] wrote : \___

> I had to go through this a couple of times on sites I administer. The
> problem is you get some punk that loves to cause problems who decides to try
> and brute force a login by running a dictionary file against the password
> and login information to gain access to Wordpress.


It took me a while to find it, but this was discussed in this list before.

http://comox.textdrive.com/pipermail/wp-hackers/2005-December/003385.html

This large thread had quite a few solutions proposed, but I don't  
think any was incorporated into the release (2.0) at the end.


> Sometimes trying to
> explain to people that making up a random password consisting of upper and
> lower case letters along with numbers just doesn't get through.


Add  some  simple  test that checks the password  against  a
dictionary and rejects trivial-to-guess passwords. The worse
type  of  attacks  don't use whole dictionaries to  crack  a
single  account. Using single words on many accounts is more
effective  if one wished to wreak havoc. Many systems assume
this  so  there's a dictionary-based check, in  addition  to
imposition  of a lower bound on the number of charcaters and
enforcing of a rich mix of characters.


> I have ended
> up hacking wp-login.php on these sites to include a CAPTCHA with every
> login.


Upon first inspection, this would raise concerns among the blind (see below).


> I was wondering what everyone thought about adding something similar to the
> core. It could even be modified to be similar to the way Yahoo works it,
> where you get X amount of failed attempts and after that you are forced to
> using the CAPTCHA.


...but that sounds much more sensible.


> Another option would be to have Wordpress reset the user's password after X
> number of failed login attempts. This would be more ideal for people who are
> hosted on companies that do not have GDImage enabled in PHP. Of course we
> could make it customizable through the admin options:


The  one  issue  with this is that it opens  the  system  to
account-targetted   vandalism.  Someone  can  affect   one's
account  and  cause  great inconvenience. Since It's  not  a
brute-force-type  attack, it will probably be less tolerable
then DDOS attacks on the login page, which at the very worst
lead  to problems in the database or bring down the  server.
You  wouldn't  want  Senator Gore with  his  20-buck-a-month
hosting relying on this... *LOL*


> -          Enable login security
>
> -          Number of failed login attempts before invoking security
>
> -          Security method: Password reset  or CAPTCHA
>
>
> Considering the growing popularity of Wordpress and the increased use on
> political sites, which are high targets for these attacks, I feel that
> increasing security on the login would be highly welcomed.


I concur.

Best wishes,

Roy


-- 
Roy S. Schestowitz, Ph.D. Candidate in Medical Biophysics
http://Schestowitz.com  |  GNU/Linux  |     PGP-Key: 0x74572E8E
http://othellomaster.com - GPL'd 3-D Othello
http://iuron.com - proposing a non-profit search engine

More information about the wp-hackers mailing list