retronaut
Forum Replies Created
-
Can you share this edit? I have simply commented out the php sleep command.
I agree with the delay time being a user setting with an option for no delay. What I need from this solution is the tracking of the username and the IP of the failed attempts. When an IP/user has reached the threshold to be blocked, I would prefer no delay and a generic 500/400 error response.
A good addition to the plugin would be a smart list of usernames to ignore. We do not have an “admin” user so it seems fruitless to ask the database if the password matches and to waste a php process delaying the automated attacks on the “admin” account.
I understand the wish to slow the attack down, but it is better for server resources to send error pages quickly than to slow each login down.
Forum: Plugins
In reply to: [Login Security Solution] LFD Alerts "Excessive processes running"I had a similar problem. Our site was attacked from multiple ips and the number of current PHP processes exceeded 15000 due to the time it takes for the wp-login script to complete. PHP stopped responding.
I have blocked access to the wp-login page for external IPs to keep the site safe from such attacks. It works but now our external authors and translators must access our VPN to edit the site.
I have not found a mod with the option to change the location or name of the wp-login script.
I would prefer to stop php from processing the direct login attempts. Rather than using the referrer which can be spoofed, a similar solution could be to create a page that links to the wp-login page and must be visited first. The script would set a session variable that the wp-login page checks before providing the login form or attempting to process a login request.
Thanks for your help.