WordPress.org

Ready to get started?Download WordPress

Forums

BruteProtect
[resolved] How many attempts? (8 posts)

  1. David Anderson
    Member
    Posted 1 year ago #

    Hi,

    I love the idea and have used this on a few sites.

    Question:
    I have a site that is mainly for users from a single institution. The whole institution is (probably) behind a single IP address. So, a few failed logins from different users could quickly look like a cracker at work, and lock everyone out - not just out of this site, but out of all Brute-Protected site. Or perhaps not - it's hard to say... the question is: what are the limits? And secondly... can they be made configurable? (e.g. "Don't report the IP to BruteProtect central unless it has X failures within Y minutes" - depending on how BP actually works under the hood).

    David

    http://wordpress.org/extend/plugins/bruteprotect/

  2. Sam Hotchkiss
    Member
    Plugin Author

    Posted 1 year ago #

    Hi David--

    First off, thanks for your feedback! We've been hard at work on a number of major updates to the plugin, one of which will directly address this concern, and we can't wait to unveil them.

    In the mean time-- it's 10 failed logins before a lockout occurs. You are correct in saying that this will lock out the user across BP-protected sites

    As an interim fix, you can make the following change:

    To whitelist your IP on your site, change line 37 of bruteprotect.php from:

    add_action('login_head', 'brute_check_loginability');

    to:

    if($_SERVER['REMOTE_ADDR'] != '1.1.1.1') { add_action('login_head', 'brute_check_loginability'); }

    (replacing 1.1.1.1 with your IP)

    Hope this helps!

  3. alfonsocaponi
    Member
    Posted 10 months ago #

    Hi guys,

    is it possibile setting the value of failed logins before a lockout occurs (on the admin plugin console or directly into the PHP code)?

    Thank you

  4. Sam Hotchkiss
    Member
    Plugin Author

    Posted 10 months ago #

    No-- the number of failed logins is controlled by our API, it's more than just X logins then a block-- we use the data from the 10m+ failed logins we have logged to help determine if someone is a real threat, and we'll keep refining this algorithm as we move forward.

  5. Daan Oostindiën
    Member
    Posted 9 months ago #

    Can you give any indication about the timespan you use for this count? (10 attempts a year or 10 attempts an hour make quite the difference.) And perhaps for the length of the lockout period?

    I'd like to be able to tell my clients (more or less) exactly what plugins do.

  6. Sam Hotchkiss
    Member
    Plugin Author

    Posted 9 months ago #

    Hi Daan--

    At the moment, the algorithm is:
    8 failed attempts in 8 hours = 8 hour block
    15 failed attempts in 24 hours = 48 hour block
    25 failed attempts in 7 days = 14 day block
    40 failed attempts in 1 month = 2 month block
    65 failed attempts in 1 year = 2 year block

    We're working on making this "smarter"-- more details to come

  7. David Anderson
    Member
    Posted 9 months ago #

    Blocking anything for 2 years is probably unhelpful... IP addresses can get recycled quite a lot, particularly if they're on VPS services. It'd be hugely annoying to buy a VPS to install a VPN server on, then find that you can't log in to lots of WP sites because of a 2-year ban.

  8. Daan Oostindiën
    Member
    Posted 9 months ago #

    Ah, getting a 2 year block takes serious effort:
    First you get a 8h block (8 failed
    Then you get a 2d block (15 failed =2d,8h)
    Then you get a 8h block (23 failed =2d,16h)
    Then you get a 14d block (25 failed =18d,16h)
    Then you get a 8h block (33 failed =19d)
    Then you get a 2m block (40 failed =2m,21d)
    Then you get a 8h block (48 failed =2m,21d,8h)
    Then you get a 2d block (55 failed =2m,23d,8h)
    Then you get a 8h block (63 failed =2m,21d,16h)
    Then, after 2 months, 21 days and 16 hours of continuous hammering from the same IP, you get a 2 year block (which effectively resets everything).

    It's pretty hard to get to the point where you'll be blocked for 2 years, but nonetheless there should be a 'Unblock me' feature somewhere. 25 failed attempts is not unthinkable, but being unable to login for two weeks is.

    I would also suggest to start with some smaller steps. 8 failed attempts is not much, but blocks you for a nasty period. Perhaps start with 15m, then an hour, then rapidly build up to longer periods for the real bots.

    A bit like this:
    5 failed attempts in 15mins = 15 min block
    10 failed attempts in 30mins = 1 hour block
    15 failed attempts in 90mins = 1 day block
    Etc..

    It also seems important to give some feedback like '3 attempts left'.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.