ClassicPress PetitionsClassicPress Petitions
This is a read-only archive. Post or comment on the live version of this page on our forums.

Add some basic brute force protection please

September 7, 2018 · 21:38 · Rudy Brinkman
Description

I would like to see some basic protection against brute force attacks on the wp-login.php and xmlrpc.php. At the moment, you will need to add plugins and/or disable access to xmlrpc.php using plugins. I hope to see ClassicPress with a basic protection like a captcha on the login page.

Voters
+42 more
Tags
Request: Add feature
Discussion
KTS915

Please: no captchas!

Wade Striebel

I have to agree, I don't like captchas... # of retry attempts may be better

David Shanske

I am in favor of number of failed attempts and maybe account locking

Pieter Bos

Definitely no captchas! Why make it a problem of the user?

Ian

It is embarrassing that you there is no limit to how many failed login attempts you can make on a default WP installation without it complaining / doing something about it. I add the protection at the server level, but it really should be more secure 'out of the box'.

No captchas though, just rate-limiting.

Pedro de Carvalho

+1 on rate limiting, no captchas

Raymund

Would be a good idea to collate all security functionalities into one Security submenu in the Settings menu, as with this petition: https://petitions.classicpress.net/posts/136/new-settings-submenu-security

Tim Kaye

I implement brute force protection using transients, which simply lock someone out of their account for a fixed period of time after a certain number of failed attempts. After that time has elapsed and they have logged in successfully, the transient is deleted. Simple.

But I have hard-coded it. Would need to add a UI before it could be added to core.

William Patton

Brute force protection at server level is the more useful option. Application level protection implementations are still vulnerable to triggered DDoS from brute force attempts.

Alan Coggins

Also agree with rate limiting, no captchas

James Nylen

>Brute force protection at server level is the more useful option. Application level protection implementations are still vulnerable to triggered DDoS from brute force attempts.

Agree, this is best done at the server level using fail2ban or similar.

There is also https://wp-fail2ban.com/ which provides specific integration with WP/ClassicPress.

Jesse

This is a bad idea to include in Core, and is an example of overstepping. Firstly, there are a million use cases for a CMS like ClassicPress and preventing certain login behaviors will inhibit (for example) testing, etc. Certain things can and must remain the responsibly of layers "higher up" the stack such as server configuration and firewalls. The WordPress world is notorious for overloading the PHP layer with things it shouldn't be responsible for... this is one of those things.

There are also marketing concerns: for every feature that ClassicPress adds to Core, the more it chips away at building an ecosystem.

zigpress

Noooo! Captchas are terrible for usability and accessibility. By all means do rate-limiting but don't destroy usability for legitimate users as a way of trying to put off bad users.