开发者 | convissor |
---|---|
更新时间 | 2016年8月14日 01:19 |
捐献地址: | 去捐款 |
PHP版本: | 3.3 及以上 |
WordPress版本: | 3.4.1 |
mbstring
extension is enabled.
The tests have caught every password dictionary entry I've tried.dict
dictionary
program (if available)display_errors
is on and error_reporting
includes E_NOTICE
According to SophosLabs more than 30,000 websites are infected every day and 80% of those infected sites are legitimate. Eighty-five percent of all malware, including viruses, worms, spyware, adware and Trojans, comes from the web. Today, drive-by downloads have become the top web threat. -- Security Threat Report 2012So if your site does get cracked, not only do you waste hours cleaning up, your reputation gets sullied, security software flags your site as dangerous, and worst of all, you've inadvertently helped infect the computers of your clients and friends. Oh, and if the attack involves malware, that malware has probably gotten itself into your computer.
REMOTE_ADDR
provided by the web server
(as does WordPress' new comment functionality and the Akismet plugin).
If you want our brute force tracking to work, we advise adjusting your
wp-config.php
file to manually set the REMOTE_ADDR
to a data
source appropriate for your environment. For example:http://wordpress.org/extend/plugins/login-security-solution/
1. Unzip the file.
1. Our existing tests are very effective, catching all of the 2 million
entries in the Dazzlepod password list. But if you need to block
specific passwords that my tests miss, this plugin offers the ability
to provide your own dictionary files.
Add a file to the pw_dictionaries
directory and place those passwords
in it. One password per line.
Please be aware that checking the password files is computationally
expensive. The following script runs through each of the password
files and weeds out passwords caught by the other
tests:
php utilities/reduce-dictionary-files.php
1. If your website has a large number of non-English-speaking users:
pw_sequences
directory for your target languages. The following steps
are for left-to-right languages. (For right-to-left languages, flip the
direction of the motions indicated.)pw_sequences
directorylanguages
directory, add one. Read
http://codex.wordpress.org/I18n_for_WordPress_Developers for
details. The files must use UTF-8 encoding. Send me the file and
I'll include it in future releases. See the features request
section, below.dict
program. See if dict
is installed on your server and consider installing it if not.
http://en.wikipedia.org/wiki/Dictlogin-security-solution
directory to your
server's /wp-content/plugins/
directorytests
directory.
The plugin needs to be installed and activated before running the tests.
To execute the tests, cd
into this plugin's directory and
call phpunit tests
Please note that the tests make extensive use of database transactions.
Many tests will be skipped if your wp_options
and wp_usermeta
tables
are not using the InnoDB
storage engine.
Removal
login-security-solution
directory.fail
table.fail
table.The WordPress installation process (currently) defaults to having the main administrator's user's name be "admin." Many people don't change it. Attackers know this, so now all they need to do to get into such sites is guess the password. In addition, if you try to log in while your site is being attacked, this plugin will send you through the password reset process in order to verify your identity. While not the end of the world, it's inconvenient.
A link to the page is found in this plugin's entry in the "Plugins" admin interface:
Let's turn the question around: "How long did it take to get in those 500 hits?" Chances are it took hours. (Six hours if they're attacking with one thread, 2 hours if they're coming at you with three threads, etc.) If this plugin wasn't working, they'd have pulled it off under a minute. Similarly, without the slowed responses this plugin provides, an attacker given six hours against your site could probably get in over 170,000 hits. Anyway, my real question for you is "Did they get in?" I'll bet not. The strong passwords this plugin requires from your users lowers the chances of someone breaking in to just about zero. And even if they do get in, Login Security Solution realizes they're miscreants and kicks them right out.
The best way to go here is a subject open to debate. (Hey what isn't?) I chose the slowdown approach because it keeps legitimate users and administrators from being inconvenienced. Plus it provides a quick sand trap that ties up attackers' resources instead of immediately tipping them off that the jig is up.
Yeah, the DOS potential is there. I mitigated it for the most part by disconnecting the database link (the most precious resource in most situations) before sleeping. But remember, distributed denial of service attacks are fairly easy to initiate these days. If someone really wants to shut down your site, they'll be able to do it without even touching this plugin's login failure process.
Development of this plugin happens on GitHub. Please submit bug and feature requests, pull requests, wiki entries on our GitHub.
To update the POT file, do this:
svn checkout http://i18n.svn.wordpress.org/tools/trunk/ makepot
cd login-security-solution/languages
./makepot.sh
.po
and
.mo
files:
cd languages
./makepot.sh
./updatepos.sh
./makemos.sh
CREATE TABLE
statement in activate()
to prevent
WordPress' dbDelta()
from creating duplicate keys each time the plugin is
activated..mo
translation files..htaccess
file that blocks access to this plugin's directory.POST
value for $user_name
in login_errors()
because global value
isn't always set.ENT_QUOTES
instead of ENT_COMPAT
in htmlspecialchars()
calls
because WordPress mixes and matches the double and single quotes to
delimit attributes.htmlspecialchars()
instead of DB_CHARSET
.htmlspecialchars()
to avoid
problems under PHP 5.4.plugins.svn.wordpress.org
.wp_users
auto increment.dict
test if dict
not available.