[wp-hackers] Limit Login Attempts

Doug Smith doug at smithsrus.com
Tue Apr 16 18:12:54 UTC 2013


I like the approach of the Login Security Solution plugin in the way it enforces strong passwords and attempts to track both IPs and logins then do blocking, delays, and password resets.
http://wordpress.org/extend/plugins/login-security-solution/

This particular distributed attack is mostly probing the user name "admin". It would seem that if a user with that name does not exist (since it's no longer a default) then the attempt could instantly be treated in the way the Login Security Solution plugin does but without waiting for repeated attempts. The delays would at least slow the attempts looking for an "admin" user.

Doug

On Apr 16, 2013, at 10:39 AM, wp-hackers-request at lists.automattic.com wrote:

> Message: 5
> Date: Tue, 16 Apr 2013 11:39:48 -0400
> From: Chip Bennett <chip at chipbennett.net>
> Subject: Re: [wp-hackers] Limit Login Attempts
> To: "[wp-hackers]" <wp-hackers at lists.automattic.com>
> Message-ID:
> 	<CAPdLKqd21azx7AA68mTgZ=r=AcoaXyZ+HAMri+pSjVn-jMS0=Q at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> "Does that overlook something important?"
> 
> Well, unless you whitelist your own IP address to bypass the login lockout,
> then if the brute-force attack attacks your actual username, you could find
> yourself locked out of your own site.
> 
> Another solution is to .htaccess whitelist your own IP address for
> wp-login.php, but that may not exactly be a low-maintenance solution
> (dynamic IP addresses, logging in from multiple locations/IP
> addresses/devices, etc.).
> 
> 
> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
> <onlyunusedname at gmail.com>wrote:
> 
>> I've been using something similar to what Jesse describes: limiting
>> attempts based on username so that I may disregard IP.  Does that overlook
>> something important?

--
Doug Smith: doug at smithsrus.com
http://smithsrus.com



More information about the wp-hackers mailing list