WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] Login security question (9 posts)

  1. borderline11
    Member
    Posted 1 year ago #

    Hi,

    I was testing the new login security and I tried a few logins
    It didn't log failed login attempts from non existing accounts, only logged the ones from existing accounts. I thought it would log any failed login attempt..
    under Login options, I have Log all accounts Logins option

    Thanks !

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    If a user account does not exist then there is nothing to log or lock. ;) I thought about adding something like this, but what I discovered is that someone could cause serious problems for your website by abusing that type of option.

    Example: hacker uses an auto-login script and enters any random username into that automated login script. The script attempts to login 100 times per second. End result: This would be the same as a DoS/DDoS attack against your website and could cause a wide range of problems for a website - slowness, site down, site crash, etc.

    The correct way to handle and prevent abuse like this is what is currently being done: if the user account is not valid = return error/end script.

  3. borderline11
    Member
    Posted 1 year ago #

    Do you mean if the hacker tried those 100s times to login, those 100s times would need to be logged and therefore this would cause the same as a DoS attack?

    I was using Limit Login Attempts, I could see if someone else tried to login

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    100 to 1,000 times per second is the thing that is important to note. You would never want to log or process this type of malicious activity for 2 reasons. The goal of a DoS/DDoS attack is to overload your Server and crash your website.

    1. If the hacker is NOT using a valid username then they will never be able to successfully log into the site.

    2. WordPress handles this type of malicious authentication activity by returning an error instead of consuming unnecessary resources by continuing the authentication processing any further.

    BPS Login Security is hooking into the WordPress authentication process and is also returning an error on this type of malicious activity.

    Every time someone attempts to login to your website they are attempting to connect to your WordPress Database. This costs website resources so if someone is overloading your website resources by trying to login repetively then this will cause your website to run slower or probably just crash the site. So by ending the script with an error instead of continuing with script processing the resource cost is almost nil. If on the other hand you allowed the processing of this type of malicious activity to continue on in the script and be processed then this is unnecessary use of your Server resources and would have a negative impact on website performance. If handled completely wrong it could cause your Host to suspend your Hosting account. Therefore not allowing this type of malicious activity in the first place is the smart way to handle this.

    Honestly why would you want to see or log login attempts for invalid usernames? I do not see any valid reason to do something like that. It is an unnecessary waste of your Server's resources/website resources.

  5. borderline11
    Member
    Posted 1 year ago #

    Ok, i understand. Thank you for your explanation and for adding this feature :)

  6. borderline11
    Member
    Posted 1 year ago #

    Sorry, I have another question ...

    when entering a wrong username the login page tells you invalid username and when entering a wrong password also tells you that password for that username is wrong.

    Wouldn't it be better to display "Incorrect username or password" rather than revealing which one is incorrect?

  7. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Yep, that is already being done in the Pro version. We may decide to add this to the free version as well. We follow a schedule and have to keep on task otherwise forward growth is negatively impacted.

  8. borderline11
    Member
    Posted 1 year ago #

    ok thanks !

  9. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Here is a perfect example of why you do not attempt to handle invalid logins = will crash your website because this is technically a DoS / DDoS vulnerability/exploit that doing something dumb like that causes.
    http://wordpress.org/support/topic/login-limit-htaccess-ip-ban-list-choking-under-pressure?replies=1

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic