WordPress.org

Ready to get started?Download WordPress

Ideas

Reset Admin Password - Attempt Limit == security hole

  1. strings28
    Member

    I just recently had a site I admin hacked because a hacker was able to reset the admin password via the login form (the admin's handle was 'admin') and then using the algorithm that was in the PHP code he brute forced into my admin account. Based on my statistics application it took about 527 attempts before he logged in. I have since restored the install and added in the plugin to limit the number of attempts that fail from an IP range, but I suggest that the limitation plugin be a part of WordPress by default because this security hole seems pretty easy to automate.

    Kind Regards,
    Strings28

    Posted: 4 years ago #
  2. Are you sure that the plugin works well? Usually these attacks don't use the same IP address... They just use a bot net with thousands of remote-controlled PCs with different IPs.

    Posted: 4 years ago #
  3. strings28
    Member

    I'm not sure the plugin works well, I'd have to look and see what I could see regarding the IP addresses.

    Posted: 4 years ago #
  4. How did your hacker get the reset email?

    Posted: 3 years ago #

RSS feed for this topic

Reply

You must log in to post.

  • Rating

    12345
    5 Votes
  • Status

    This is plugin territory