provide mainline supported rename of wp-login
|Reported by:||jorhett||Owned by:|
In general I mock people who do security through obscurity, but I think in this case it might help a great deal. It's not that Wordpress needs obscurity, so much as Every Wordpress Is The Same and we've made the attacker's job way, way too easy.
We are in our 4th month of ongoing and escalating botnet attacks. The botnet provider keeps learning with each new evolution, and we're seeing a new evolution each week.
One thing a botnet can't do is deal with dynamic information. If Wordpress were to provide a mainline, supported mechanism for a unique login URL, this would stop the botnet flat. Obviously this would require that you can't issue a remote query to get the login URL. But if it was just text on the screen, he couldn't very well alter his botnet to parse the text and figure it out. Or maybe he could, but it wouldn't work nearly so often.
I believe this is a problem best solved at the source. In a small, simple code fix that doesn't require every wordpress site to install large complex plugins to achieve.
Change History (8)
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed