[wp-trac] [WordPress Trac] #24193: Anti brute force protection
WordPress Trac
noreply at wordpress.org
Tue Apr 1 19:54:26 UTC 2014
#24193: Anti brute force protection
-------------------------+------------------------------
Reporter: MAzZY | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 3.5.1
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
-------------------------+------------------------------
Comment (by Denis-de-Bernardy):
Fwiw, I've a quick hack running on my own sites using the following
approach:
1. On login attempt, get the latest_logins user_meta. It's an array of
array(date, ip, success) that keeps track of up to three successful login
attempts, and up to first three failed ones that occurred after the last
successful successful login.
2. If the last three login attempts are all failed, it locks the user by
triggering the reset password procedure alongside setting a user_locked
meta. The user_locked meta denies any login attempt, successful or not,
until the password is indeed reset (at which point the user_locked meta is
deleted).
3. The user's profile page lists the lastest_logins in a table for
information.
Most of the code is related to 3. Points 1 and 2 are maybe 10-20 lines of
code, since they're using existing APIs.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24193#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list