Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Limiting login attempts is not as effective as you might think. How should it work? If you want to ban IP addresses that get X attempts wrong in Y minutes, then you're failing to realize that hackers like this normally have access to hundreds or thousands of IP addresses. If you want to lock the whole account for a while, then you've just introduced a way for anyone to lock the account of someone else they don't like.

Also considering that their Twitter and Facebook accounts were also compromised, your assumption that it was the blog itself that was compromised is a big one. I don't have any first hand knowledge on that though personally, I'm just saying.



No need to ban an IP address. After x attempts just add y seconds before allowing another login attempt. If you like, lock account with SMS or email to owner after z attempts. Do this per login, regardless of device type/location. The time taken to test out just 5 passwords should make a brute force impractical.


That sounds not fun for the account owner. I could prevent you from logging into your account.


This plugin does exactly that and is very effective. Everyone using WP should be using it. http://wordpress.org/plugins/limit-login-attempts/


I run this on my personal site to prevent drive-bys but it won't stop a determined hacker with many IPs.

Here's a proper solution to secure your account: http://wordpress.org/plugins/google-authenticator/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: