Should there be a lockout at least at some point?

  • Resolved gcranston

    (@gcranston)


    10 years ago

    For the last 17hrs, a single ip address has been brute-forcing continuously, and is managing around 171 attempts every 120mins.

    I know the site’s not under threat, especially with this plugin (only 1450 attempts rather than hundreds of thousands, and the strong passwords, not even using correct usernames etc), but is there any significant resource usage having waiting scripts continuously going?

    I know you’ve avoided absolute lockouts, but would there be any place or benefit for having at least some threshold for lockout, that far exceeds what even the most persistent of regular users might try? e.g. after 50 goes from a single ip for example, it would get blacklisted for good (or until an admin undoes this). Clearly the odd attacker doesn’t get bored very easily of trying! Or is this just something that makes us feel better, but doesn’t actually make any difference to anything?

    https://wordpress.org/plugins/login-security-solution/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter gcranston

    (@gcranston)

    9 years, 11 months ago

    Further to the information above, I have a little more information that’s really raising my doubts about this plugin… please correct my assumptions if I am wrong though.

    Last night, over a 59 minute period, a single IP address made 10,004 POST requests to wp-login.php. I have this information from filtering the webserver’s raw log data.

    I did this because my website was brought down for about an hour coinciding with this attack. Resource usage (on shared hosting) was maxed out, so nothing could be accessed by anyone. There were too many concurrently running processes to allow anything else to happen.

    Why are so many processes being used? Is it simply because of the attack? It would seem to me as though a plugin like this would be expected to solve that problem, but I’m wondering if its actually creating a problem having processes running delaying things? If not, why did my site come down for an hour? Wouldn’t it just be solved by having a lockout on attempts from one place?

    Plugin Author Daniel Convissor

    (@convissor)

    9 years, 10 months ago

    Yeah, I’m contemplating a hard lockout becuse of heavy brute force attacks ending up causing denial of service.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Should there be a lockout at least at some point?’ is closed to new replies.