[wp-trac] [WordPress Trac] #32373: Allow For execution of code before login processing

WordPress Trac noreply at wordpress.org
Wed May 13 16:21:32 UTC 2015 

#32373: Allow For execution of code before login processing
-------------------------+-----------------------------
 Reporter:  Another Guy  |      Owner:
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Security     |    Version:  trunk
 Severity:  normal       |   Keywords:
  Focuses:               |
-------------------------+-----------------------------
 The problem at hand is hardening and filtering people who are attempting
 to log into a wordpress site WITHOUT using htaccess and without invoking
 the full wordpress core.  The issue comes from people making brute force
 attacks on a wordpress installation, either while attempting to post
 comments on a site that has "user must be logged in" checked, or who are
 just trying to gain access.

 The underlying issues are cloudflare (and similar services) as well as the
 server load created in dealing with a brute force attack.  The IP address
 of someone coming to your wordpress site cannot easily be checked at the
 htaccess level (as you will see only the cloudflare node serving them
 which is shared).  They fix this by providing the origin IP in the
 headers, which can be accessed in PHP.  This means, however, that htaccess
 is not an option for sites using cloudflare.

 Second is the question of serverload.  wp-login.php (as an example)
 immediately starts up pretty much the full of wordpress.  That means that
 code is loaded, database connections are made, and so on.   Get a few
 hundred (or a few thousand) requests a minute and your server melts and
 honest users cannot access your site.

 Additionally, many wordpress installations are either maintained by a
 single person, small group of people, or from a single corporate location.
 It is the ultimate in good security to limit access to the login area to
 only those who need to use it.

 My solution is adding code at line 10 in both wp-login.php and
 /admin/index.php to pre-check the IP address and to only permit the small
 group of people who are allowed on the site to even attempt to log in.
 All of the others are either sent to a "denied" page, forwarded to other
 locations, or sent to 127.0.0.1.

 What I would like to suggest is that a hook is placed in these areas to a
 new file, called (say) wp-pre-login.php which would be called at line 10
 in each case.  This code could process ANYTHING that the site owner
 chooses to do before login and would happen before any wordpress code is
 actually executed, and before any database connections or other activities
 happen.

 It may also be equally interesting to apply a similar system to comment
 processing.  Currently, limiting comments by country or language is not
 very easy to achieve.  it's also impossible to completely shut off
 comments.  It would be extemely beneficial to allow for pre-comment
 processing to occur.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32373>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list