[wp-hackers] Limit Login Attempts
Chris Williams
chris at clwill.com
Mon Apr 22 21:11:18 UTC 2013
If he's only logging failed login attempts, I would think a) it wouldn't
harm you performing a valid login (since that wouldn't be logged), and b)
a delay in response to a failed login would be a good thing... Slow those
puppies down.
On 4/22/13 8:55 AM, "Nicholas Ciske" <nl at thoughtrefinery.com> wrote:
>Sam,
>
>I'm curious if you've done any load testing with this?
>
>Seems like it could (initially) make attacks impose a worse performance
>penalty due to the number of remote calls (and you'd be hammering your
>central server), not to mention the possibility of adding thousands of
>transients to the WP database (which could hammer a shared database
>server pretty hard)?
>
>What happens if the API server fails (or takes a long time to respond) --
>would I be able to log into my site?
>
>_________________________
>Nick Ciske
>http://thoughtrefinery.com/
>@nciske
>
>
>On Apr 22, 2013, at 8:50 AM, Sam Hotchkiss wrote:
>
>> FWIW, this thread inspired me to come up with a solution:
>>
>> http://wordpress.org/extend/plugins/bruteprotect/
>>
>> Failed login attempts get logged into a central repository, if any
>>single IP fails to log in 10 times in 1 hour to ANY site or combination
>>of sites with this plugin installed, it blocks any login attempts to any
>>installed site from that IP for 1 hour. Subsequent bans on that IP are
>>held for longer (20 fails in 24 hours = a 4 hour ban, 30 fails in 48
>>hours = a 12 hour ban, etc). The next update will allow a user to lift
>>their ban once in a 24 hour period by completing a re-captcha.
>>
>> The idea being that, if we can get enough sites with the plugin
>>installed, we can effectively neutralize the multiple-IP attack.
>>
>> Obviously, this is not as ideal as complete host-level protection, but
>>it's a whole lot easier...
>>
>> --
>> Sam Hotchkiss :: Principal / Senior Web Developer
>> Hotchkiss Consulting Group
>
>_______________________________________________
>wp-hackers mailing list
>wp-hackers at lists.automattic.com
>http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list