WordPress security

I subscribe to Smashing Magazine, and just finished reading this article. Most of their articles does not appeal to me (mostly because I have no Photoshop skills, and don’t work with Photoshop at all) but there is the odd piece of gold there even for me.

Today it was in the form of summarizing things you can do to harden your WordPress installation. Sometimes though, funny little discrepancies sneak through. Like for instance, if you follow tip #8 (Suppress error feedback on the log-in page) your installation won’t leak whether it was the username or password which was erroneous. It does however leave an ugly red field (in which said error feedback used to live).

Then along comes tip #9 (Restrict erroneous log-in attempts) and suggest two plug-ins to thwart brute-force login attempts. Like Limit Login Attempts. It actually overrides the default WordPress error feedback, instead reporting something about “username or password” being wrong.

These types of solutions usually come with a real drawback, namely that if you try to access an account too many times, the account is locked and unuseable. Which allows for a malicious person to deny the author access to the blog.

I just tested this plugin, which seems to base the restriction on IP-adress instead of actually locking the account. While this makes it possible for an attacker to simply switch IP and continue the attack, the purpose of this kind of security measure is of course not to make an attack impossible, just infeasible, in the same way that a speed bump doesn’t make it impossible to drive down a street at high speed, but it can make it really uncomfortable.


Comments are closed.