Limit Login Attempts Plugin

IMG_0025I recently added to my WordPress blog security now that blogs like these are being targeted by botnets. I’ve found a great plugin called “Limit Login Attempts” which allows me to set lockout values to people who try to guess what the ‘admin’ account password is.

First, lets just say that the level of entropy in my admin accounts is so high that there isn’t enough time left in the Universe to try every combination – but that being said, my values for this plugin would make this a non-issue. I give people 4 attempts to try the ‘admin’ account, after that they are locked out for 1440 minutes, a day. If they lockout twice, the lockout penalty goes to 720 hours, or a month. There is 4320 hour span until retries are reset, that’s 6 months.

Of course, the filter also captures the IP address, so I’m going to look into getting a IP blacklist plugin and adding these captured IP addresses to that blacklist. They’ll never be allowed to my blog. This line of reasoning led me to think about an immune system for the Internet. If an IP does something wrong, it is blacklisted and that fact is then sent to every other site and they blacklist it as well. One false move and you are suddenly banished from the network. I think this would radically change how people behave online. There would definitely be a lot of noise raised when people are suddenly unable to communicate with any host whatsoever because their systems were filthy, compromised, or malevolent. That would add a certain value of responsibility. It would only be a little bit more to establish a site like Digg where people vote on the malevolence of comment traffic, putting trolls right along with botnets and black-hats, out in the cold, banished where they all belong.

I can smell an RFC forming. 🙂

photo by: katerha

WordPress Security

Bank vault doorI run a gaggle of WordPress blogs, both for personal reasons and for work reasons. My SupportPress site runs on WordPress.org and the host I’ve been using all along, iPage sent me an email informing me that they have detected a botnet-sourced cyberattack directed at the login pages of WordPress.org installations. They also informed all their customers that they have installed network limits on these attacks, but that even though the attacks have been greatly reduced, that it shouldn’t lead to a flagging of security vigilance.

No time like the present to get things installed on all my WordPress blogs. The first thing I can think of since all my passwords are 16 to 20 characters long, randomized, stored for me in 1Password, and stored in such a way that even I don’t know them – is to install a plugin called Limit Login Attempts to all the WordPress blogs I manage. This will prevent people from screwing up their login attempts and it will email me when they try. So far this blog is covered and I don’t really expect any problems here.

Thanks to social networking, especially Twitter and my good friend @wyrdsmyth, and my hosting provider iPage I have been protected all along. More security is usually a good thing and in this case, warranted with this extra plugin. Next stop are all the other blogs I manage.

photo by: walla2chick