Login Security Feature Request

[protection]

I’m currently using “Limit Login Attempts,” but would love to deactivate/delete it if BPS will someday implement the same feature that Limit Login Attempts has:

X lockouts increase lockout time to Y hours.

In other words, suppose in BPS Pro I have my Max Login Attempts set to 3, and my Automatic Lockout Time set to 20 minutes. This means that after 3 failed attempts they’ll be able to try again in 20 minutes.  In Limit Login Attempts, it allows you to specify a lockout time period after a certain number of lockouts has occurred.

Any plans of implementing this?

[AITpro Admin]

The primary goal/purpose of Login Security is to stop Brute Force Login attacks.  ie not allowing an unlimited number of login attempts in order to be able to crack a password.  This would be automated by a hackerbot of course since human hackers don’t actually visit websites that they are attempting to hack – this is completely automated with bots.  A bot would be able to do 1,000’s of Login attempts in a few seconds if Login Security was not in place.

I actually do not understand what the intended benefit/purpose of adding an additional lockout period would be.  Since the hackerbot is stopped after X number of tries then why would you want to add an additional lockout period?  Am I missing something here?

If you are using BPS Pro JTC Anti-Spam / Anti-Hacker then hackerbots are stopped before then can attempt Brute Force Login attacks and spambots are stopped from automated spam registrations, logins and comment posting. 😉

[protection]

I figured that behind every bot was a human being that might get deterred if they realize they’ve been blocked for a long period of time (and that security was in place), and would just kill their brute force script 😉

I’m using another plugin for users to log into the front end (wp-members), although I’m assuming bots are most likely trying to hack through <domain>/wp-login.php. It’s possible that I’ll get rid of front-end logins to my site in the future, and if that’s the case, will ditch Limit Login Attempts and just stick with LSM from BPS Pro (and incorporateBPS Pro JTC Anti-Spam / Anti-Hacker).

Thanks for getting back so quickly,
Pete

[AITpro Admin]

Typically the code in the hacker’s delivery system / hackerbot user agent has a built-in check for 403 errors / being blocked and will move on to unprotected targets / sites either on the first round of being blocked or on the second or third rounds of being blocked.

The general idea is to hack websites in volume – ie hack 1,000’s sites in a day and then sell those hacked sites off on the black market.  A hacked website is typically worth about $.15 to $1 dollar on the black market so to make any money selling hacked sites off the hacker has to have a large volume of hacked sites to sell to make it worthwhile / profitable.  The point is the human hacker’s delivery system is designed not to waste resources and move on to easier targets fairly quickly.  It would be a waste of resources for the human hacker to attack a protected target.

[protection]

Thanks for the detailed info! Your plugin is amazing 🙂

[Tony Payne]

I think the Login Security has saved me in the last few months, since I have a constant log of hackers (bots) trying to log in almost every hour on 3 sites.

Fortunately this stops them from keeping on trying, but on one site the same IP address keeps trying and has been for over a week.  It’s “supposedly” a Japanese host, but I know that can be faked, and in this case it could be a script that is set to always use the same IP and Host of course.

It would be nice if there was an easy way to block IP’s that have tried to break in on multiple occasions, maybe even an automatic way. I was thinking that an auto re-direct to another site might be good, so that every time they tried to break in they would find themselves logged there.

Maybe there is a good plugin already that will do this, but I couldn’t find anything.

By the way the latest version of BPS Pro is a HUGE improvement in my opinion. I find the menus and options far mor eintuitive to use, and love the fact that having installed a new plugin or performed updates the backups and setting changes are all done for me.

[AITpro Admin]

http://forum.ait-pro.com/forums/topic/buddypress-spam-registration-buddypress-anti-spam-registration/

We spent several months researching and testing IP blocking on a large scale back in 2013.  ie CIDR country blocking code and other various automated IP blocking methods.  The end result of all that testing was that we found that any form of IP blocking on a large scale was not very effective and caused significant resource drain/slow downs for your website/server.

JTC Anti-Spam / Anti-Hacker is very effective, simple & quick to implement and actually improves your website/server performance because auto-posting hackerbots and spambots are stopped before Login processing.  The numbers/results are much better than we anticipated and are pretty incredible:  http://forum.ait-pro.com/forums/topic/buddypress-spam-registration-buddypress-anti-spam-registration/page/2/#post-1294

If you are seeing that hackerbots and spambots are being stopped/blocked in your Security Log then you do not need to do anything else since these are just log entries showing that they were stopped/blocked.

Yep, the NAV is finally figured out and yep automation is now very good.

 

[Author]

Posts