I recently added to my WordPress blog security now that blogs like these are being targeted by botnets. I’ve found a great plugin called “Limit Login Attempts” which allows me to set lockout values to people who try to guess what the ‘admin’ account password is.
First, lets just say that the level of entropy in my admin accounts is so high that there isn’t enough time left in the Universe to try every combination – but that being said, my values for this plugin would make this a non-issue. I give people 4 attempts to try the ‘admin’ account, after that they are locked out for 1440 minutes, a day. If they lockout twice, the lockout penalty goes to 720 hours, or a month. There is 4320 hour span until retries are reset, that’s 6 months.
Of course, the filter also captures the IP address, so I’m going to look into getting a IP blacklist plugin and adding these captured IP addresses to that blacklist. They’ll never be allowed to my blog. This line of reasoning led me to think about an immune system for the Internet. If an IP does something wrong, it is blacklisted and that fact is then sent to every other site and they blacklist it as well. One false move and you are suddenly banished from the network. I think this would radically change how people behave online. There would definitely be a lot of noise raised when people are suddenly unable to communicate with any host whatsoever because their systems were filthy, compromised, or malevolent. That would add a certain value of responsibility. It would only be a little bit more to establish a site like Digg where people vote on the malevolence of comment traffic, putting trolls right along with botnets and black-hats, out in the cold, banished where they all belong.
I can smell an RFC forming. 🙂
http://wordpress.org/extend/plugins/bad-behavior/
I use Bad Behavior on my site with an associated Drupal module, and it works pretty well except when the developer falls behind on updating the script to detect new bot methods. I now use this in conjunction with the BOTCHA and Troll modules (which includes a premade blacklist of IP ranges from common attack origins, but since IP addresses can be spoofed that’s only marginally effective). BOTCHA works so well I stopped using CAPTCHA to protect the comment fields anymore. I’m looking into adding something similar to limit login attempts, but for now I just renamed the admin account on the sites I’m hosting, reset their passwords and hid them from public view. Just because I’m using Drupal doesn’t mean it won’t become the next target/vector of attack.