[wp-trac] [WordPress Trac] #24673: provide mainline supported rename of wp-login

WordPress Trac noreply at wordpress.org
Tue Apr 1 03:24:54 UTC 2014 

#24673: provide mainline supported rename of wp-login
--------------------------+-----------------------
 Reporter:  jorhett       |       Owner:
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:
Component:  Security      |     Version:  3.5.2
 Severity:  critical      |  Resolution:
 Keywords:  close         |     Focuses:
--------------------------+-----------------------
Changes (by knutsp):

 * keywords:   => close


Comment:

 The reason WordPress is more attacked by botnets has to do with the bigger
 target. Malicious hackers always goes for the bigger targets first, the
 easiest way. This doesn't mean that making it just a bit more difficult to
 do "brute force" will change this. A way to "protect" WordPress could
 cynically be to stop the development, making the target smaller and others
 CMS's bigger.

 This ticket is about changing "wp-login", as the description says. That is
 not going to help.

 Changing the wp-admin part of the admin url is another thing. Setting it
 to a secret would introduce another kind of password, at least if you are
 not able to be redirected to it automatically.

 Introducing just "another password", in principle, is no way as long as
 it's purely web based. You may achieve the same degree of complexity by a
 just stronger password. A third party mechanism is the way here, requiring
 another device and address that the user has access to, like a mobile
 phone.

 A weak or medium strong password may not withstand a brute force attack
 that is allowed to go on forever. This is the actual weakness, along with
 allowing weak passwords at all.

 Ticket #24193 suggests limiting the ability to do some brute force
 attacks.

 The main points is, that what works for a lot of sites, in ways of
 avoiding botnet attacks, is not necessarily what WordPress core should do.
 And what WordPress core should do is not making it difficult to log in to
 their own WordPress. What WordPress does best is to allow almost any
 modification through plugins. So when someone wants to stand out, being
 different, maybe harder to "get" by common means, use or make a plugin.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/24673#comment:16>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list