[wp-hackers] WordPress can "leak" if a username is valid
Otto
otto at ottodestruct.com
Mon Feb 18 21:52:37 GMT 2008
On Feb 18, 2008 3:19 PM, James Davis <james at freecharity.org.uk> wrote:
> I'm not disagreeing with how these tickets should be closed but you've
> not illustrated why a brute force attack against WordPress is different
> to a brute force attack against SSH and why they shouldn't be afforded
> the same protective measures.
I can repeatedly send password attacks to an SSH server very fast
without it being particularly impacted by it.
Hitting a WordPress server very fast would either a) have a very long
round trip time or b) bring down the server due to the sudden high
amount of database activity.
A webpage is slower than SSH.
> (I'm not sure that blocking IPs is such a great idea - probably left to
> a plugin.)
Agreed, just pointing out that the solution to a brute force threat is
straightforward. Making error messages less verbose and useful doesn't
solve any real problems.
-Otto
More information about the wp-hackers
mailing list