Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [wp-hackers] Securing Wordpress Login

  • To: wp-hackers@xxxxxxxxxxxxxxxxxxxx
  • Subject: Re: [wp-hackers] Securing Wordpress Login
  • From: Roy Schestowitz <r@xxxxxxxxxxxxxxx>
  • Date: Mon, 21 Aug 2006 15:10:36 +0100
  • Delivery-date: Mon, 21 Aug 2006 15:10:41 +0100
  • Envelope-to: s@schestowitz.com
  • In-reply-to: <016801c6c522$86647bd0$d702a8c0@jamiexp>
  • References: <016801c6c522$86647bd0$d702a8c0@jamiexp>
  • User-agent: Internet Messaging Program (IMP) H3 (4.1.1)
___/ On Mon 21 Aug 2006 14:05:49 BST, [ Jamie Holly ] wrote : \___

I had to go through this a couple of times on sites I administer. The
problem is you get some punk that loves to cause problems who decides to try
and brute force a login by running a dictionary file against the password
and login information to gain access to Wordpress.


It took me a while to find it, but this was discussed in this list before.

http://comox.textdrive.com/pipermail/wp-hackers/2005-December/003385.html

This large thread had quite a few solutions proposed, but I don't think any was incorporated into the release (2.0) at the end.


Sometimes trying to
explain to people that making up a random password consisting of upper and
lower case letters along with numbers just doesn't get through.


Add  some  simple  test that checks the password  against  a
dictionary and rejects trivial-to-guess passwords. The worse
type  of  attacks  don't use whole dictionaries to  crack  a
single  account. Using single words on many accounts is more
effective  if one wished to wreak havoc. Many systems assume
this  so  there's a dictionary-based check, in  addition  to
imposition  of a lower bound on the number of charcaters and
enforcing of a rich mix of characters.


I have ended
up hacking wp-login.php on these sites to include a CAPTCHA with every
login.


Upon first inspection, this would raise concerns among the blind (see below).


I was wondering what everyone thought about adding something similar to the
core. It could even be modified to be similar to the way Yahoo works it,
where you get X amount of failed attempts and after that you are forced to
using the CAPTCHA.


...but that sounds much more sensible.


Another option would be to have Wordpress reset the user's password after X
number of failed login attempts. This would be more ideal for people who are
hosted on companies that do not have GDImage enabled in PHP. Of course we
could make it customizable through the admin options:


The  one  issue  with this is that it opens  the  system  to
account-targetted   vandalism.  Someone  can  affect   one's
account  and  cause  great inconvenience. Since It's  not  a
brute-force-type  attack, it will probably be less tolerable
then DDOS attacks on the login page, which at the very worst
lead  to problems in the database or bring down the  server.
You  wouldn't  want  Senator Gore with  his  20-buck-a-month
hosting relying on this... *LOL*


-          Enable login security

-          Number of failed login attempts before invoking security

-          Security method: Password reset  or CAPTCHA


Considering the growing popularity of Wordpress and the increased use on political sites, which are high targets for these attacks, I feel that increasing security on the login would be highly welcomed.


I concur.

Best wishes,

Roy


-- Roy S. Schestowitz, Ph.D. Candidate in Medical Biophysics http://Schestowitz.com | GNU/Linux | PGP-Key: 0x74572E8E http://othellomaster.com - GPL'd 3-D Othello http://iuron.com - proposing a non-profit search engine

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index