Plugin Author
Paul
(@paultgoodchild)
Spread over 2 days, 10,000 login attempts isn’t actually a lot… it sounds like a lot, but it’s hardly anything. This means they’re accessing about once ever 15-20s. That’s not a brute force attack.
Take a look at this:
http://math.stackexchange.com/questions/739874/how-many-possible-combinations-in-8-character-password
You will see that with even a “small” 8 character alphanumeric password, the possible permutations are HUGE.
10,000… is hardly nothing.
The login protection cooldown fights proper brute force attacks very effectively since even with a 10s cooldown, it could take up to 567200 days to crack an 8-digit password.
That’s quite effective. Without a cooldown, you’re in trouble.
That’s assuming you even know the admin login username to attack.
If they’re giving up after a few days and they have a cooldown of 10-20s, they’re not going to get anywhere.
* Also, you could whitelist your own IP address so you’re not affected by the cooldown system. 🙂
I hope that helps.
Thanks,
Paul.
Thread Starter
Handoko
(@handoko-zhang)
Thanks for the reply. Okay, I missed the “whitelist IP feature”. But, what should I put if my internet provided doesn’t provide me a static IP? Also, what if I tried to login when I’m having vacation on other countries?
Yep, 10,000 login attempts isn’t much. The worst I ever had is 80,000 attempts coming together from 2 IPs attacking a single site. They all failed, but the thing I don’t like is they’re burdening my server and wasting the bandwidth.
So, what is you suggestion for the cooldown interval that is good for most cases? For you information, I haven’t install your plugin yet.
I’ve just checked my cPanel log, and I can see it’s still trying to login to one of my site. I was thinking to manually block it via htaccess. But I found you’re correct as you mentioned on your plugin’s description page that banning IPs isn’t a good idea.
Anyways, Simple Security Firewall seems to be a good security plugin. I’ll sure to try it someday.
Note:
Providing some screenshot pictures will make more people want to try your plugin. Some people (including me) are too lazy to watch the 6 minutes introduction video.
Plugin Author
Paul
(@paultgoodchild)
The login cooldown period is really up to you and how you think it best suits your site and its uses. I can’t say to be honest. I put it at 60s for my sites, but that suits my profile.
As to the bandwidth burden… unfortunately there’s not a lot to be done there about that. If the IP really is constant, you could temporarily ban it in your .htaccess, but as you know, this doesn’t scale.
As to the screenshots etc., you’re right, I can definitely do better to help people get started. You also need to put a higher priority on understanding the tools you use… it’s up to you. A security plugin doesn’t fix everything, it provides you the tools to do what you can to protect yourself, but you still have to know what you’re doing. But if 6 minutes is too long to learn a bit more about a security plugin, that’s not something I can fix.
Thanks for the feedback.
