For the most part, I think criticisms of WordPress security are largely overblown. When you look at some of the more prominent hacks against WordPress-powered blogs, they tend to be due to common security problems, such as poor security models on virtual hosting servers or people who do not keep their WordPress install and plugins updated.
But occasionally I do shake my head at some WordPress practices. Take, for example, the Limit Login Attempts plugin that I use on this site. The plugin is straightforward–if someone tries to login with an account and gets the password wrong four times in a row, that account will be locked for 20 minutes.
It is probably overkill for me because no one’s going to brute force my admin account password–it is far too long and random to guess even with days worth of trying. Still, it’s just a good idea if only to shoo away potential hackers.
What pisses me off, though, is that I have to go download a plugin in order to accomplish this. For the love of all that is nerdy, why the hell is rate limiting login attempts not a feature in the WordPress core already (and one that should be turned on by default IMO)? That is an elementary security tool and it is mind boggling that this something that a vanilla WordPress install lacks.
- May 10, 2013 @ 20:43:16 [Current Revision] by Brian Carnell
- May 10, 2013 @ 20:43:11 by Brian Carnell