Built in Brute Force prevention

I second this request.

To elevate the problem in the meantime you can:

1. Add this code to your functions.php to make brute forcing more difficult:

   // removes detailed login error information for security
   	add_filter('login_errors',create_function('$a', "return null;"));
   
   	// removes the WordPress version from your header for security
   	function wb_remove_version() {
   		return '';
   	}
   	add_filter('the_generator', 'wb_remove_version');

2. Change the default admin account in your WordPress installs to something other than “admin”

New Codex: https://codex.www.ads-software.com/Brute_Force_Attacks

I know there are plugins that can prevent this (one of them screwed up an MU install for me last week) but I wonder; why isn’t this built in? Limit users to 1 request per 5 or 10 seconds or so, that would probably be a big help!

That’s exactly the point.

Of course, there are plugins for this, but WP by default should come with some level of protection regarding this.

Limit users to 1 request per 5 or 10 seconds or so, that would probably be a big help!

Two major reasons:

1) We would catch a LOT of people complaining they got locked out of their blogs, without any idea how to un-block themselves. Remember, there are a lot of non-techs who use WP.

2) Blocking there is ‘too late.’ Any time you’re using a plugin pr WP code to throttle this sort of attack. This is something a server should be protecting you from (the brute force part, not the secure password part).

1) if they’re blocked for 5 seconds, they won’t be locked out. If they think they are, tell them to “try again now”.

2) What do you mean the server should be protecting you, how does it know a legitimate login request from a non? WordPress itself is processing the login request. It could fairly easily do something to lock itself for 5 seconds before processing the next request.

The server processes the request before WordPress gets to it. Any server that’s seeing the kind of traffic that is part of a brute force attack should be triggering its own protection.

>”server processes the request before WordPress gets to it.”

I think there is some confusion here. WordPress itself (the wp-login.php script) processes login requests and this is what bogs down the server.

>”should be triggering its own protection”

what is the nature of the protection you’re talking about; is there a name for it and how do we install / configure that? Please provide a link or some information about this?

thanks!

When someone calls the the wp-admin URI, the following happens:
1. A call is made to the server.
2. The server decides what to do with the call.
3. The server returns the wp-login.php script.
4. The user views the wp-admin page.

So, Esmi was pointing out at step 1 there should be some sort of security measure that that the hosting providers should implement.

Whereas you’re suggesting step 4.

WordPress itself (the wp-login.php script) processes login requests and this is what bogs down the server.

During a brute force attack, that’s too late. Ideally you need to stop these attacks as early as you possibly can to reduce the load on the server.

what is the nature of the protection you’re talking about

There are a couple of ways you can stop the attackers before wp-login.php has to process the request. We’ve been trying to catalogue some of them in Brute_Force_Attacks. Personally, I’ve opted to limit access to wp-admin by IP on the sites I manage but that might not suit everyone.

Thanks Andrew – what sort of security measure should the hosting provider implement; is there a name or a specific product that can tell this brute force attack on wordpress from a legitimate request?

OK thanks Esmi – so if I’m understanding, the developers don’t offer this built-in (the option to limit access to wp-admin by IP) because too many people will lock themselves out?

Again it really seems that limiting the login requests to 1 per X seconds would alleviate what I’ve been seeing. So I’d like to continue to request that.

Edit: Request that developers incorporate this plugin or similar into main wordpress: https://www.ads-software.com/extend/plugins/limit-login-attempts/

thanks!!

because too many people will lock themselves out?

A lot of people would certainly forget that they’d limited access by IP and then complain bitterly here. ?? But mainly, this is very site specific and needs to be set up manually to suit each site’s users. For example, you could never use this on a multisite install. Or on a site with lots of authors. So you cannot provide any kind of default in WP core as part of an install. Plus, some people are using Windows servers and don’t have an .htaccess file.

it really seems that limiting the login requests to 1 per X seconds would alleviate what I’ve been seeing

I disagree. I think these botnets would just continue hammering away. You might relieve the problem a little but you wouldn’t make much of a dent in the overall effect.

The goal of my request isn’t to prevent the brute force attempts themselves (which of course would be nice) but to prevent servers from getting overloaded by them, and in that regard I believe it will alleviate what I’ve been seeing. I’m going to give that plugin a try.
Thanks for the links and info!

Are you hosting your own server(s)?

The goal of my request isn’t to prevent the brute force attempts themselves (which of course would be nice) but to prevent servers from getting overloaded by them

I do that by using ModSecurity or .htaccess. In both cases, I check based on behavior to see if the person should ever get access to wp-login.