password time limit

1. the number is in seconds and should equate to 1 year.
2. yes, changing this to say 2592000 should equate to 30 days instead.
3. no, i don’t believe there is. you will have to hack login.php to keep a track of number of failures.

thanks!!!

1/2> yes, seconds .. yes it was that easy to change.

3> as the admin function seems to reside in login.php .. for posts/pages it seems it is actually located in : template-functions-post.php

let me run this by some of yall.. to build in some type of a 1.. 2.. 3 (more or less) strikes and you are out policy.. i assume the best way would be to create an array that would keep count of the number of tries made from an ip address for each post/page.. per time period. there weould then be a test at query time that would test to see if it was clear for access or not .. any thoughts / vulnerabilities?

Although I haven’t done this in WP, I have done similar stuff elsewhere, like this:

Use a PHP session variable to keep a track of number of logins. When that exceeds the maximum you will allow, “deactivate” the user. In WP, I think this might be done by changing the user_level column in users table to 0 (zero).

When that exceeds the maximum you will allow, “deactivate” the user. In WP, I think this might be done by changing the user_level column in users table to 0 (zero).

What if someone tries to log into your account 3 times? Then your account will be set to 0 and you’ll loose access to your own blog. That doesn’t sound like a good plan to me…

I’d just blacklist the IP from the login form for X hours + set a cookie that also blocks them.

What if someone tries to log into your account 3 times? Then your account will be set to 0 and you’ll loose access to your own blog. That doesn’t sound like a good plan to me…

Yes, that’s certainly true and it will be a problem if you don’t have direct access to the MySQL database, either with SSH or something like phpmyadmin.

However, if you have direct database access, it’s actually an excellent security mechanism for exactly the same reasons you outline and that’s why I always do it that way.

Whatever floats your boat, but I wouldn’t find it fun to have to go into my database every 5 minutes and have to re-admin my account if someone tries to login with my username. ??

BTW: what’s your blog URL if you have this on your blog? ??

great comments guys! ..

i guesss I was leaning toward creating a database within wordpress..
(found this as well : https://www.as400pro.com/servlet/sql.tipView?key=1072&category=HTML )


wordpress (database)
wp-postprotected (table)
post_counter (how many tries .. set in admin options panel.. would be same for all posts/pages )
post_counter_time_in_effect (when would counter reset automatically .. set in admin options panel .. would be same for all posts/pages)
post_time_penalty (how long an ip would be blocked .. set in admin options panel .. would be same for all posts/pages)
wp-protected_post_id (table)
ip_address (table)
counter
time_of_last_try_failed


so each protected post (posts &/or pages) would have a set of ip_addresses that each has a counter and time that they last tried and failed

sure someone could move to a new ip, etc.. but that seems to be able to be solved through a kind of throttle/choke on the system..e.g. if tries and fails > 10 in 10 min per post then lock down the page for some amount of time.

Ptryk: I think I may have misunderstood your request: I thought you were talking about the login password but it seems you meant the page password. If that’s the case, forget what I said as it doesn’t really apply. What you’re proposing seems like a good model.

Viper007Bond: No, no blog. I’m talking about custom (typically ecommerce) websites that I build for the client here.

pizdin .. couldn’t the concept work just as well for the admin login? (assuming if the mechanisms were to lock you out you could go into the phpmyadmin? or gain access through ftp / server side?)

Yes, it could but the “wp-protected_post_id” table would not be applicable. Perhaps another user-based one would be more appropriate. Or you could just do the session/user_level thing.

been looking into how to make this happen.. had a new/different thought: i am thinking that there really is no reason to apply the protection to a specific post/page/login.. why not have it simply track ip’s and if an ip makes say 3 login errors somewhere on the site within say 10 hours then that ip will get blocked from being able to try passwords?