[wp-hackers] Securing Wordpress Login
Jamie Holly
hovercrafter at earthlink.net
Mon Aug 21 14:20:50 GMT 2006
There are hooks on the wp-login.php page, but going your route would
actually rely on hooking into the profile page since that is where passwords
are changed. Wordpress actually does a good job at generating the random
password when you first register so you wouldn't need to check there.
This would also be a working solution (I know some forum software uses this
same type of check).
The other option would be to generate a plugin to invoke the captcha or
retry system and possibly distribute it with the core Wordpress just as an
option for people to secure their sites a little more.
Jamie Holly
http://www.intoxination.net
-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Brian Layman
Sent: Monday, August 21, 2006 9:52 AM
To: wp-hackers at lists.automattic.com
Subject: RE: [wp-hackers] Securing Wordpress Login
>Another option would be to have WordPress reset the user's password after
>X number of failed login attempts.
I've always thought that this leads to a great attack vector: Invalidating a
small percentage of users passwords every other day. Annoying the
membership of a site, rather than the site itself, could accomplish more
than a 1 time brute force break in with a lot less effort.
Personally, I'd rather not see "retries" in the core, at least not on by
default. I would advocate a "strong password" option that just checks for
length, and three out of the following four categories, when the password is
chosen:
1. Upper case letters
2. Lower case letters
3. Numbers
4. Symbols/punctuation
Is the login screen pluggable? I've never looked...
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list