(Even more) WordPress login rate-limiting
Lots of people (and lots of our customers) use WordPress to run their Web sites. This unfortunately means that lots of “hackers” also try to guess the passwords of those sites.
That’s a problem, so we’ve had WordPress login “rate limiting” in place for a long time. When a single IP address tries loading the WordPress “wp-login.php” script many more times than a human would, we temporarily block that IP address from accessing the “wp-login.php” page until the requests stop for a while.
This works pretty well: we’ve blocked literally millions of password attempts this way. However, last week one of our customers had his site hijacked by someone who did indeed simply guess his WordPress password.
Part of this was unfortunately the customer’s responsibility for choosing a weak password — he chose a common dictionary word beginning with the letter “a” that could be easily guessed. In fact, it only took the hackers a few dozen tries to guess it. However, we were still surprised that they succeeded, since the rate limiting usually blocks this.
A detailed investigation revealed that these hackers were smarter than average. Instead of trying lots of passwords all at once, they tried them fairly slowly, making about one attempt every 20 minutes over several days.
To thwart this, we’ve made our rate limiting more strict — it “remembers” login attempts for a longer period, for example, and we now limit some IP addresses if they try as few as 12 login attempts per day. That still shouldn’t affect most human users, but just to make sure that’s not a problem, we’ve also added a feature that lets humans reset the rate limiting. You’ll see this option on the error page that rate-limited requests get redirected to if it ever happens to you.
As always, don’t hesitate to contact us if you have any problems or questions related to this.