Login Dongle

2012-02, NotesLog, WordPress

A WordPress Plugin I’ve developed while suffering a brute force attack from multiple (probably spoofed) IP addresses.

After installing the plugin, the buttons on the login page become useless because they submit the login form as-is, without a required field, the challenge >> response. This means that even if the form is automatically submitted by a brute force attack utility, even using spoofed IP addresses, the plugin will still effectively reject the attack, because the required field won’t be there.

The plugin has two components: a server-side PHP handler and a client-side jQuery bookmarklet.

The user configures a challenge with its response and both are saved to the database. The challenge is also packaged into a jQuery boolmarklet that the user adds to her bookmarks. When clicked on the login page, the bookmarklet shows a challenge and the user inputs a response. Then the bookmarklet adds the required field, and submits the form.

When WordPress fires the login_init event, the PHP handler checks if the POST data contain a field whose name is the challenge and whose value is the response. If the field is there, then all proceeds as usual (i.e. other plugins are executed and the credentials are matched against the database), otherwise the handler displays an error message and terminates.

One Reply to “Login Dongle”

  1. Does this Plug-In work with a Multisite? If so, does it work on the main admin account for the whole network or is there a separate dongle/bookmarklet for each blog? I can help you with a German translation, let me know. Rob

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.