[wp-trac] [WordPress Trac] #24193: Anti brute force protection

WordPress Trac noreply at wordpress.org
Tue Apr 1 03:27:38 UTC 2014

#24193: Anti brute force protection
 Reporter:  MAzZY        |       Owner:
     Type:  enhancement  |      Status:  reopened
 Priority:  normal       |   Milestone:
Component:  Users        |     Version:  3.5.1
 Severity:  normal       |  Resolution:
 Keywords:  has-patch    |     Focuses:

Comment (by nacin):

 Two main problems with this:
  * This would quickly balloon the options table and probably crash it. In
 fact it'd be a fairly effective attack in its own right.
  * It would do nothing to prevent distributed brute-force attempts. One
 person with huge botnet could ''trivially'' do some serious damage with
 this. You'd need to do per-user stuff, rather than per-IP.
  * OK, three problems. Per-user is tough because then it'd be easy to
 block a user from logging in legitimately. In fact, it'd be a fairly
 effective attack in its own right.

 It's really, really hard to get this right. That's why every plugin I've
 seen offers a serious amount of configuration, as if a user is going to
 know how to best balance legitimate attempts versus dealing with a
 distributed botnet. It's a terrible, horrible user experience.

Ticket URL: <https://core.trac.wordpress.org/ticket/24193#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list