Why WordPress don’t implement a basic limit login attempt solution?

  • Hello buddies. I hope nobody get offended, but I have a rant today and I have to leave it out here…

    I specialize in providing hosting for WP sites as also in cleaning compromised sites (defacements/phishing/attacks/vulns), and after every job done, I wonder why in the world the WP team haven’t hardened a bit more the security of these overall websites, natively.

    I know you continuously release security fixes here and there, and I know that you already put a lot of awesome efforts/time/work/money, but my example point to the basics, with this example: WHY WordPress can’t limit the amount of login attempts? or why XML-RPC couldn’t be inactive by default on new installs? I don’t ask for harder security measures, there are security plugins for that. But there’s still a incredibly big number of website owners with total unawarenes of that. Most hosting services don’t filter the queries, and users mostly install WP via one-click installers that deploy a template. That makes those sites inherently INSECURE.

    As a sysadmin, I’m tired of seeing these kind of logs in newbies’ or webdesigners’ accounts:
    https://drive.google.com/file/d/0B4ZIdz9VEIQGZ2tmVUpQN2lnX1E/
    (and this is just a fragment of a 280 MB log file)
    And as vast majority of hosting servers are not actively monitoring these logs until it’s really late, these scans become unnoticeable. But as long as the number of WP sites grows per server, I also see a growing number of hosting companies failing to provide a reliable or stable service.

    The current state of WordPress, is that is being natively insecure for newbies/webdesigners, and the massification of WP makes it the bot-choice to scan for. You are happy that nearly 30% of Internet is running WordPress. I’m too, really, it’s just great, as it guarantees I will have unlimited sources of jobs. But I’m also sad because that 30% of internet could become rickety in some point.

    I collaborate in several groups and forums and I see a lot of new users completely unaware of the security basics (they ever “don’t believe on bots” as if they were urban myths), and another lot of power users who think they know how to secure WordPress, but are doing pretty useless efforts and get their sites compromised, too. There’s a very small number of people with real awareness taking good security measures. And I should speak for all of them, I only can say: PLEASE HELP! Help the newbies to have a secure WP from the very first minute it’s installed, and by doing that you will help the experts too, as we cannot be omnipresent to fight the daily threats.

    IMHO, you need to consider these facts and discuss solutions with a higher priority and take more actions to secure WordPress since the very first minute it’s just installed. Then, and only then, Internet will be a place a bit more secure.

    Do you have any topics where it is discussed or starting to be analyzed? I’ll be more than pleased to collaborate and help in securing WP.

Viewing 11 replies - 1 through 11 (of 11 total)
  • Moderator James Huff

    (@macmanx)

    WHY WordPress can’t limit the amount of login attempts?

    As you mentioned already, there are plenty of plugins for these. A strong password will keep out almost all attacks, so in past discussions the WordPress developers have mentioned that they aren’t interested in increasing complexity on the average user in this way at this time.

    You, as a server admin however, can help your customers by providing https://www.fail2ban.org/ which per their project description “scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc.”

    Most hosting providers have this built-in these days, as it protects far more than just WordPress.

    Some hosting providers also install plugins like https://www.ads-software.com/plugins/limit-login-attempts/ (which, despite its age, still works great) and https://www.ads-software.com/plugins/jetpack/ (which also includes brute force protection) by default.

    In addition, compiling in https://www.modsecurity.org/ wouldn’t hurt.

    or why XML-RPC couldn’t be inactive by default on new installs?

    Right now, XML-RPC is still the primary way in which mobile and desktop apps, and most connected services, communicate with WordPress. Once the REST API is finalized, it will likely be deprecated.

    For now, something like fail2ban will also protect XML-RPC, as will the Limit Login Attempts and Jetpack plugins.

    As a hosting provider, I also recommending joining https://make.www.ads-software.com/hosting/ (as well as the Slack channel and weekly meetings mentioned there). It’s a group of hosting providers interested in collaborating on better performance and security in WordPress hosting.

    Thread Starter Marcelo Pedra

    (@kent-brockman)

    Great. Thanks for pointing those channels. I’ll join!

    As per the mod_security recommendation, it’s a double sided sword, too many rules could protect you but also ban legit hits/queries/spiders. And having few rules may be the same as not having mod_security at all. Some rules work well with WordPress but may break Joomlas or custom coded websites.

    In the other hand fail2ban is good for small servers, but it becomes I/O intensive as the number of logs to analyze is growing and even more if there are sites with high traffic or high amount of entries in the logs (in example, sites with lots of images or external css/js).

    Other than that, we use CSF as a firewall, but it works protecting other services and ports rather than 80; won’t stop login attempts.

    I really miss Mod Scurity but cPanel is still working on improving its default rules…

    I know some providers install some plugins as “mu” ones, but this disturb the peace of mind of power users as they don’t like the host to mess with their sites.

    Glad to hear XML-RPC will be deprecated/obsoleted any time soon ??

    I know the variety of available plugins. The problem is with all the thousand of website owners who don’t know that, and who also install their sites with weak passwords. Maybe, a good idea would be to pin highlighted security tips to the Dashboard widget, so that everyone will see that at least once. May this be a request to be ever considered?

    Moderator James Huff

    (@macmanx)

    May this be a request to be ever considered?

    It’s always possible. For things like that, file it like a bug, but set the report type as Enhancement: https://make.www.ads-software.com/core/handbook/testing/reporting-bugs/

    • This reply was modified 7 years, 3 months ago by James Huff.

    Perhaps the answer to Marcelo’s very valid points is to have all new installs accompanied by the most appropriate security plug-ins, and use the admin update messaging system to check and suggest any users without them add them. This is at least going a long way to solve the dual problem of vulnerability consequences and resource over-taxing Marcelo identifies. I suspect it is doable, but does there exist any appetite to fix up this very boring but major potential positive impact stuff?

    Personally I use Jetpack, which is a bit of a struggle to get your head around the subtleties at first (not sure I’ve quite got there) but it seems to work well and some of their upsells actually look useful (haven’t bought any yet). This comes from someone just cruising above “average informed gumby” level, but wouldn’t go for the “power user” tag just yet, but occasionally get mistaken for one! But I agree, it is a very worthwhile topic for some credible effort. Especially that 10% jobbie that gets 90% of the benefit – ie the “strongly recommended plugins” method – can it happen?

    Further to my comment – a standard install comes with a bs plugin to give quotes from “Hello Dolly”. Boy if there was ever a case of misguided priorities…! But hey, creators are allowed to have their quirks too, I get that.

    It was cute when WP started, but having 30% of a ginormous community means its time to get serious and pack some more useful and relevant stuff in there. And do the retrofit thing. Please. You know you want to…

    OK, OK – keep the quirkiness. But fix the security crater too…. icing
    Please

    That was supposed to be a pretty please with icing on top, but seems I couldn’t pull it off!

    Moderator James Huff

    (@macmanx)

    a standard install comes with a bs plugin to give quotes from “Hello Dolly”. Boy if there was ever a case of misguided priorities

    The Hello Dolly plugin has always been intended as an example plugin to get new developers started, similar to the default “Twenty” series of themes.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Why WordPress don’t implement a basic limit login attempt solution?

    Because it would hurt some WordPress users.

    *Drinks coffee and hope no one minds*

    You specialize in providing hosting for WP sites so you are already way outside of the beginner category of users. ?? But for someone who just did a 1 click install of WordPress they will get their password wrong multiple times.

    That new user could get frustrated when they’re temporarily locked out due to a built in login limit. As the expression goes, you only get to make one first impression and that experience of not being able to login (albeit temporarily) would be cumbersome to new inexperienced users.

    This is why this request belongs in plugin space. As users progress in their WordPress experience, they almost always ask “What can I do to make this more secure?” and that means an add-on.

    Note that I agree with why users should obtain these add-ons. I use Jetpack protect and 2FA myself. I do not use security plugins but I do see the need to restrict logins via add-ons.

    Thread Starter Marcelo Pedra

    (@kent-brockman)

    @jdembowski: I get your point. But if you leave those users alone, you are making Internet more insecure as WordPress gains more market share.

    I agree on the fact that you cannot by any means make a cumbersome first impression by locking out those newbie users. BUT, I guess you are also aware that WordPress is one of the most targetted CMS in the world by botnets. So, you should take any countermeasure. I mean, YOU MUST, guys.

    You cannot lock out users. That’s OK. But even so, WordPress should be able to count failed logins, and show an admin notice warning the user when the system detects more than X failed login attempts since installation date. So, don’t lock out the users. But raise awareness instead! Just show an admin notice and link it to security documentation, or WP repo results for security plugins, so every user can choose what to use. I think keeping the userbase advised would be a nice and appreciated move within the community.

    Example URLs you could link to:
    https://www.ads-software.com/plugins/tags/security/
    https://www.ads-software.com/plugins/tags/firewall/
    https://www.ads-software.com/plugins/tags/malware/

    Do what you consider better for the userbase. But I see it everyday: newbie users are 100% helpless. You seriously need to keep an eye on security to continue building a better internet experience for everybody.

    Hope you can take this into consideration.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Please don’t ping people for 4 month old topics.

    I get your point.

    Good!

    But if you leave those users alone, you are making Internet more insecure as WordPress gains more market share.

    OK. Correction, you didn’t get my point.

    Here’s my point. ??

    https://www.ads-software.com/support/topic/why-wordpress-dont-implement-a-basic-limit-login-attempt-solution/?view=all#post-9304525

    You seriously need to keep an eye on security to continue building a better internet experience for everybody.

    It’s not up to me, I’m not WordPress. ??

    If you wish, feel free to submit a patch. You’ve not made a case for this IMHO but again, it’s not up to me. Submit a patch and if it is accepted then great.

    If not then this functionality will remain where it is which is plugin space.

    Thread Starter Marcelo Pedra

    (@kent-brockman)

    ok @jdembowski thanks for the feedback. What’s the recommended place to submit such a feature request? trac? github?

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Why WordPress don’t implement a basic limit login attempt solution?’ is closed to new replies.