A WordPress Plugin I’ve developed while suffering a brute force attack from multiple (probably spoofed) IP addresses.
After installing the plugin, the buttons on the login page become useless because they submit the login form as-is, without a required field, the challenge >> response. This means that even if the form is automatically submitted by a brute force attack utility, even using spoofed IP addresses, the plugin will still effectively reject the attack, because the required field won’t be there.
The plugin has two components: a server-side PHP handler and a client-side jQuery bookmarklet.
The user configures a challenge with its response and both are saved to the database. The challenge is also packaged into a jQuery boolmarklet that the user adds to her bookmarks. When clicked on the login page, the bookmarklet shows a challenge and the user inputs a response. Then the bookmarklet adds the required field, and submits the form.
When WordPress fires the login_init event, the PHP handler checks if the POST data contain a field whose name is the challenge and whose value is the response. If the field is there, then all proceeds as usual (i.e. other plugins are executed and the credentials are matched against the database), otherwise the handler displays an error message and terminates.