Avoid brute force attack
-
Hello,
I have found that it’s very easy to hack a user account with this plugin.I explain.
If we keep default setting, so 4 digit code and an expired time of 15 minutes (900seconds) and the fact that WordPress allow 50 request per seconds and per IP by default (even a poor server can handle more than 10 rest API requests per seconds) then in a case that attacker uses only one IP it would take approximately 200 seconds (less than 4 minutes) to reset a password.If you change digit number, it will approximately take :
5 digits : 2000 seconds (33 minutes)
6 digits : 200000 seconds (333 minutes -> 5,5hours)
7 digits : 55 hours
8 digits : 23 days
9 digits : 231 days
10 digits : 2314 days …2314 days could seem a lot but don’t forget here that’s we use only 1 IP.
Hacker would more often use 10, 100 or 1000+ different IP
Of course every 15 minutes (or more depends on the life of the code sent) you ask for a new code. (But if you still try the same range of number it won’t affect the chance to finding the password).
So even with a 7 digits code it will be easy to hack a WordPress admin account in less than 6 minutes using only 10 different IP.
Here are some suggestions to avoid this :
Send a unique link after a password has been updated to enable the account.
Send by email a new password instead of asking the user to add his own.
Allow non-digit number to the code generated.
If more than 10 bad code entered, block for 10 minutes or more, the API endpoint for the user. —> I think this is a great solution.Also, I think that it should have an option to block resetting passwords of an admin account with this method.
What do you think of ?
Kind regards
- The topic ‘Avoid brute force attack’ is closed to new replies.