Hacker News new | past | comments | ask | show | jobs | submit login

I run a web server with some 50+ Wordpress installs on it. You better believe Fail2Ban is necessary. Without it all resources would be consumed by brute force attacks. If someone knows of a better way I would like to hear about it.



We use the WordFence module to block brute force attacks, seems to work fine.

I cannot believe that Wordpress still ships without basic rate limiting on its login form.


In my experience, better to let a webserver handle stopping bad traffic by whitelisting WordPress endpoints.

Parsing a url and returning 404 from nginx is cheap and scalable, and allows through legitimate traffic that may be sharing an IP (such as TOR).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: