Reset Admin Password - Attempt Limit == security hole

  1. strings28

    I just recently had a site I admin hacked because a hacker was able to reset the admin password via the login form (the admin's handle was 'admin') and then using the algorithm that was in the PHP code he brute forced into my admin account. Based on my statistics application it took about 527 attempts before he logged in. I have since restored the install and added in the plugin to limit the number of attempts that fail from an IP range, but I suggest that the limitation plugin be a part of WordPress by default because this security hole seems pretty easy to automate.

    Kind Regards,

    Posted: 5 years ago #
  2. Are you sure that the plugin works well? Usually these attacks don't use the same IP address... They just use a bot net with thousands of remote-controlled PCs with different IPs.

    Posted: 5 years ago #
  3. strings28

    I'm not sure the plugin works well, I'd have to look and see what I could see regarding the IP addresses.

    Posted: 5 years ago #
  4. How did your hacker get the reset email?

    Posted: 5 years ago #

RSS feed for this topic


You must log in to post.

  • Rating

    5 Votes
  • Status

    This is plugin territory