___/ On Mon 21 Aug 2006 14:05:49 BST, [ Jamie Holly ] wrote : \___
I had to go through this a couple of times on sites I administer. The
problem is you get some punk that loves to cause problems who decides to try
and brute force a login by running a dictionary file against the password
and login information to gain access to Wordpress.
It took me a while to find it, but this was discussed in this list before.
This large thread had quite a few solutions proposed, but I don't
think any was incorporated into the release (2.0) at the end.
Sometimes trying to
explain to people that making up a random password consisting of upper and
lower case letters along with numbers just doesn't get through.
Add some simple test that checks the password against a
dictionary and rejects trivial-to-guess passwords. The worse
type of attacks don't use whole dictionaries to crack a
single account. Using single words on many accounts is more
effective if one wished to wreak havoc. Many systems assume
this so there's a dictionary-based check, in addition to
imposition of a lower bound on the number of charcaters and
enforcing of a rich mix of characters.
I have ended
up hacking wp-login.php on these sites to include a CAPTCHA with every
Upon first inspection, this would raise concerns among the blind (see below).
I was wondering what everyone thought about adding something similar to the
core. It could even be modified to be similar to the way Yahoo works it,
where you get X amount of failed attempts and after that you are forced to
using the CAPTCHA.
...but that sounds much more sensible.
Another option would be to have Wordpress reset the user's password after X
number of failed login attempts. This would be more ideal for people who are
hosted on companies that do not have GDImage enabled in PHP. Of course we
could make it customizable through the admin options:
The one issue with this is that it opens the system to
account-targetted vandalism. Someone can affect one's
account and cause great inconvenience. Since It's not a
brute-force-type attack, it will probably be less tolerable
then DDOS attacks on the login page, which at the very worst
lead to problems in the database or bring down the server.
You wouldn't want Senator Gore with his 20-buck-a-month
hosting relying on this... *LOL*
- Enable login security
- Number of failed login attempts before invoking security
- Security method: Password reset or CAPTCHA
Considering the growing popularity of Wordpress and the increased use on
political sites, which are high targets for these attacks, I feel that
increasing security on the login would be highly welcomed.
Roy S. Schestowitz, Ph.D. Candidate in Medical Biophysics
http://Schestowitz.com | GNU/Linux | PGP-Key: 0x74572E8E
http://othellomaster.com - GPL'd 3-D Othello
http://iuron.com - proposing a non-profit search engine