Micro Cloud Login Access Rules

  • Resolved tongoa

    (@tongoa)


    2 months, 4 weeks ago

    I’ve just upgraded to the free Micro Cloud (for which, thanks) with the idea I would Deny all usernames except for my admin username which I would Allow. However a thought occurred – by doing this am I potentially tipping off a brute force attacker that they have uncovered my username and that all they have to do now is brute force out my password? If they were to hit on my username and therefore the plugin allows them to enter passwords, would this not tell them they have correctly uncovered my username? Silly question perhaps, but jumping at shadows isn’t a bad approach to online security.

Viewing 1 replies (of 1 total)
  • Plugin Author WPChef

    (@wpchefgadget)

    There is a bunch of situations when a failed login attempt will return the “ERROR: Too many failed login attempts.” message: when the login is blocked manually, when the country is blocked manually, when there were indeed to many login attempts. So we do obfuscate this. Also the “X attempts left” messages are displayed using AJAX which means it’s hard for a bot (but not impossible, however not economically efficient) to parse a JavaScript to get them in case of an automatic attack which is the main one used in brute-forcing. All these measures are implemented to make it much more difficult to guess what is blocked and why. And if the user doesn’t exist we notify that the password was incorrect. You made a good point though and we’ll think of how to make the messages even more obscure for the hackers.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.