Support » Requests and Feedback » More secure, better performance

  • Hi,

    All of us are suffering from brute force attacks, and I think that It’d be easy to implement some code in next WP versions to avoid them. (hide login and something against xmlrpc and directory traversal attacks).

    Best regards,
    Jordi

    • This topic was modified 4 months, 1 week ago by SanJordi.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Yui

    (@fierevere)

    ゆい

    This is clearly a plugin area, you can choose among many available alternatives

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Jordi, I have removed the link. This site is not for promoting any blog post.

    All of us are suffering from brute force attacks, and I think that It’d be easy to implement some code in next WP versions to avoid them. (hide login and something against xmlrpc and directory traversal attacks).

    Most of that is addressed here.

    https://wordpress.org/support/article/hardening-wordpress/

    Hiding the login is a choice but does not make an installation more secure, it just makes it harder to support. It also may do nothing for XMLRPC access.

    If someone is concerned about people logging into their WordPress installation then strong passwords and/or 2FA is the way to go.

    https://wordpress.org/plugins/search/two+factor/
    https://wordpress.org/plugins/search/strong+passwords/

    Both of which are plugin territory.

    Jack

    (@jdabber)

    I think 2FA should almost be considered for core at this stage. However, I know that it could potentially lock out non-tech-savvy users who don’t understand what they’re enabling or the importance of writing down the backup seed.

    WordFence has one of the most straightforward setups I’ve seen so far. The QR also worked well with my open-source authenticator from F-Droid (no proprietary OTP authenticator lock-in)

    • This reply was modified 4 months ago by Jack. Reason: their to they're
    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    I think 2FA should almost be considered for core at this stage.

    I agree with you. But the very wise people who support that code has seen 2FA go horrifically bad at other places and at scale. Best to keep it optional via a plugin.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.