Monday, 3 June 2013

Re: [dcphp-dev] Wordpress security plugin recommendation

Agree that this is not a good solution for serious and sophisticated attacks. This is meant to prevent the regular hackers just messing around.
Thanks for the advice.


On Mon, Jun 3, 2013 at 3:27 PM, Andrew Nacin <wp@andrewnacin.com> wrote:
On Mon, Jun 3, 2013 at 1:46 PM, Gennady Nurik <gnurik@gmail.com> wrote:
I'm new to wordpress, can anyone recommend a plugin for wordpress that can help enforce password security and can lock accounts after x failed attempts and help battle intrusion attacks. http://wordpress.org/plugins/better-wp-security/ seems bulky and http://wordpress.org/plugins/login-security-solution/ doesn't have as many downloads. Is anyone aware of any side-effects of these plugins that aren't already posted on their faqs? Any advice is much appreciated.


The big problem is that they're not particularly effective:
 * Most attacks limit the number of attacks from a single IP anyway
 * They can make it easier for the database to become overloaded (essentially contributing to a DDOS)
 * You're just as likely to end up locking out the site owner

Once you start to treat this as a targeted DDOS, it becomes clear that you need to solve this *outside* of WordPress and PHP, at the server or network level. Or by doubling up on authentication schemes, like with basic HTTP auth or some other second factor, etc.

Because there's no silver bullet, and pretty much all solutions can be trivially worked around (often with the side effect of overloading and taking down the site), WordPress core doesn't have a secret weapon we can deploy to suddenly render these attacks ineffective. Such as it is. (If you have any ideas, I'm happy to hear them.)

Nacin
(WP lead dev)

--
You received this message because you are subscribed to the Google
Group: "Washington, DC PHP Developers Group" - http://www.dcphp.net
To post, send email to washington-dcphp-group@googlegroups.com
To unsubscribe, send email to washington-dcphp-group+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/washington-dcphp-group?hl=en
---
You received this message because you are subscribed to the Google Groups "Washington, DC PHP Developers Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to washington-dcphp-group+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

0 comments:

Post a Comment