[wp-hackers] Limit Login Attempts

Dre Armeda dre at armeda.com
Tue Apr 16 15:42:13 UTC 2013


The most effective way to limit issues is at the edge. Unique passwords 
will thwart the attack from getting in, but that doesn't account for 
resource handling. If you can limit the amount of traffic from ever 
getting to the box, you're in a better place. Find out what your host is 
doing to limit larger scale brute force attacks, that's your best bet.

Dre

> Chip Bennett <mailto:chip at chipbennett.net>
> April 16, 2013 12:39 PM
> "Does that overlook something important?"
>
> Well, unless you whitelist your own IP address to bypass the login 
> lockout,
> then if the brute-force attack attacks your actual username, you could 
> find
> yourself locked out of your own site.
>
> Another solution is to .htaccess whitelist your own IP address for
> wp-login.php, but that may not exactly be a low-maintenance solution
> (dynamic IP addresses, logging in from multiple locations/IP
> addresses/devices, etc.).
>
>
> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> onlyunusedname <mailto:onlyunusedname at gmail.com>
> April 16, 2013 12:32 PM
> I've been using something similar to what Jesse describes: limiting
> attempts based on username so that I may disregard IP. Does that overlook
> something important?
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> Tom Barrett <mailto:tcbarrett at gmail.com>
> April 16, 2013 12:30 PM
> Is there any way to set up a collective pool, a global 'limit login
> attempts blacklist'?
>
>
>
>
>
> Chip Bennett <mailto:chip at chipbennett.net>
> April 16, 2013 12:25 PM
> I agree that Limit Login Attempts is useful, and does block single-IP
> brute-force attacks. (I use, and love, Limit Login Attempts.)
>
> But this particular botnet has demonstrated the ability to vary the IP
> address used to brute-force a given site. That behavior, IIRC, has been
> observed in the wild.
>
> My caution in adding Limit Login Attempts to core in response to this
> attack is that it would give a false sense of security, WRT both
> brute-force login attempts and DDoS.
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> Chris Williams <mailto:chris at clwill.com>
> April 16, 2013 12:14 PM
> Because if you only allow each IP four (Five? Six?) login attempts per
> day, you essentially stop them all.
>
> In my log analysis, it's not the case that each IP only makes a few
> attempts. They try hundreds/thousands. Now they are hitting my block,
> which requires a block of four attempts four times (16 total hits in a one
> day period).
>
> If you look at the analysis on this, it all says something like "at 1000
> attempts/minute it takes only N days to crack your short password". Well,
> at 4 attempts/day, that number becomes millennia.
>
> More to the point, why NOT do this? It doesn't require everyone to change
> their password. It doesn¹t require everyone to remove the "admin"
> account. It doesn't require any changes at all, yet helps protect even the
> most lax of password choosers.
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list