WordPress.org

Ready to get started?Download WordPress

Forums

ecSTATic
[resolved] Login Locker (9 posts)

  1. robanna
    Member
    Posted 1 year ago #

    What happens after the number of failed login attempts is reached? Is the 403 page displayed?

    I looks like they are still able to get to the login form somehow. At least they are in the activity monitor.

    http://wordpress.org/extend/plugins/ecstatic/

  2. MikeSoja
    Member
    Plugin Author

    Posted 1 year ago #

    Yes, the 403 is delivered.

    Visitors to the LogIn page or form do not always attempt to log in, though a visit to the LogIn page and an attempt to log in look the same in terms of page accesses. You'll see "Login" followed by "Login", with only the second one being the log in attempt. The script only takes note of actual failed log in attempts, but doesn't count anything against calling up the LogIn box.

  3. robanna
    Member
    Posted 1 year ago #

    Thanks!

  4. robanna
    Member
    Posted 1 year ago #

    So, I don't know how the Locker works but I think I see an issue.

    I have a few bots that are trying a brute force attack and they are doing it at an extremely slow speed; like 1 try every 30 minutes. They will never hit the threshold I have set (something like 6 failed attempts in 20 minutes) but they will have 50 failed attempts in a row each day. My thought would be to have the locker use [x] attempts in a row then it's locked out for [n] minutes/hours.

    I know my current solution is to blacklist the IP for a few days/weeks but that is not a very elegant solution.

  5. MikeSoja
    Member
    Plugin Author

    Posted 1 year ago #

    I can change login_limit and login_lock_duration from TINYINTs to SMALLINTs, thereby giving you a larger window for login fail checks.

    The downside to that would be that a longer login_lock_duration would apply to someone honestly mis-typing his password x times.

  6. robanna
    Member
    Posted 1 year ago #

    The same issue would apply to someone who legitimately forgets their password and keeps trying it over and over.

    6 of one half a dozen of the other I guess.

  7. MikeSoja
    Member
    Plugin Author

    Posted 1 year ago #

    I've made the changes, but have no time until Friday to push an update.

    One idea... if the "block IP for X minutes" value is set to 0, use the visitor's history of failed logins to determine a blocking length. That way, if a visitor commits five login fails in five minutes, that IP is blocked for the next ten minutes, while another visitor who commits five login fails over 24 hours is blocked for 48 hours. Maybe hard code a minimum block, like fifteen minutes, with a slide toward 1:1 as the time approaches 24 hours.

  8. MikeSoja
    Member
    Plugin Author

    Posted 1 year ago #

    Still trying to figure out one little thing. Shooting for Saturday, now.

  9. robanna
    Member
    Posted 1 year ago #

    Thanks!

    In the "Login Locker" option block, setting the third paramater (blocking minutes) to zero forces the program to calculate an appropriate blocking time on a sliding scale based on the number of minutes a visitor took to execute X number of failed Logins. See Options page for details.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.