[wp-hackers] Limit Login Attempts

onlyunusedname onlyunusedname at gmail.com
Tue Apr 16 15:54:21 UTC 2013


Thanks, Dre.  My own, personal role in the WordPress ecosphere is to make
my code as secure as possible independent of hosting (and to do so assuming
the worst about hosting.)  But if you could easily steer me towards any
best practices re: what you are describing, I would be grateful to read it.


And thanks for that thought also, Chip.  I suppose one could have a
captcha-protected request-new-password-via-email routine that allowed new
login attempts, but I haven't implemented that yet.  Food for thought.  It
hasn't been a problem I've needed to deal with yet.  (In the case on my own
user account, I tend to have alternate access to the database itself, so I
could just manually unlock my account, but that wouldn't help other users.)




On Tue, Apr 16, 2013 at 11:42 AM, Dre Armeda <dre at armeda.com> wrote:

> The most effective way to limit issues is at the edge. Unique passwords
> will thwart the attack from getting in, but that doesn't account for
> resource handling. If you can limit the amount of traffic from ever getting
> to the box, you're in a better place. Find out what your host is doing to
> limit larger scale brute force attacks, that's your best bet.
>
> Dre
>
>  Chip Bennett <mailto:chip at chipbennett.net>
>> April 16, 2013 12:39 PM
>>
>> "Does that overlook something important?"
>>
>> Well, unless you whitelist your own IP address to bypass the login
>> lockout,
>> then if the brute-force attack attacks your actual username, you could
>> find
>> yourself locked out of your own site.
>>
>> Another solution is to .htaccess whitelist your own IP address for
>> wp-login.php, but that may not exactly be a low-maintenance solution
>> (dynamic IP addresses, logging in from multiple locations/IP
>> addresses/devices, etc.).
>>
>>
>> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>> onlyunusedname <mailto:onlyunusedname at gmail.**com<onlyunusedname at gmail.com>
>> >
>> April 16, 2013 12:32 PM
>>
>> I've been using something similar to what Jesse describes: limiting
>> attempts based on username so that I may disregard IP. Does that overlook
>> something important?
>>
>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>> Tom Barrett <mailto:tcbarrett at gmail.com>
>> April 16, 2013 12:30 PM
>>
>> Is there any way to set up a collective pool, a global 'limit login
>> attempts blacklist'?
>>
>>
>>
>>
>>
>> Chip Bennett <mailto:chip at chipbennett.net>
>> April 16, 2013 12:25 PM
>>
>> I agree that Limit Login Attempts is useful, and does block single-IP
>> brute-force attacks. (I use, and love, Limit Login Attempts.)
>>
>> But this particular botnet has demonstrated the ability to vary the IP
>> address used to brute-force a given site. That behavior, IIRC, has been
>> observed in the wild.
>>
>> My caution in adding Limit Login Attempts to core in response to this
>> attack is that it would give a false sense of security, WRT both
>> brute-force login attempts and DDoS.
>>
>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>> Chris Williams <mailto:chris at clwill.com>
>> April 16, 2013 12:14 PM
>>
>> Because if you only allow each IP four (Five? Six?) login attempts per
>> day, you essentially stop them all.
>>
>> In my log analysis, it's not the case that each IP only makes a few
>> attempts. They try hundreds/thousands. Now they are hitting my block,
>> which requires a block of four attempts four times (16 total hits in a one
>> day period).
>>
>> If you look at the analysis on this, it all says something like "at 1000
>> attempts/minute it takes only N days to crack your short password". Well,
>> at 4 attempts/day, that number becomes millennia.
>>
>> More to the point, why NOT do this? It doesn't require everyone to change
>> their password. It doesn¹t require everyone to remove the "admin"
>> account. It doesn't require any changes at all, yet helps protect even the
>> most lax of password choosers.
>>
>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>
> ______________________________**_________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>


More information about the wp-hackers mailing list