One way is to prevent hackers even wanting to try. If they see a login form that just wants a password then they just have to guess that. But, if that form also wants a user id that they cannot easily guess, then the complexity of a brute force attack increases fantastically. The chances of them guessing the user id and the password at the same time are small, so hopefully hackers will go elsewhere. But, that's not certain.
With WordPress
If you are hosting a blog using WordPress then the process is simple. I've tried a few suitable plugins, but only 1 actually worked and that was Limit Login Attempts. Some of the other plugins were quite easy to get around, but this could be my particular hosting. So install it and then test it out!
Doing it yourself
If you are writing the website for yourself then you need to look after the security yourself and that makes it a little bit more involved. But not impossible.
First, create a table in your database with just 2 columns - timestamp and IP address. Now when someone submits the login form, the first step is to remove old entries from this table. You can get the time of, for example, an hour ago in PHP quite simply by:
$cleartime = time() - (60 * 60);
Now just delete from the log table any records with a time less than $cleartime. Next, find the user's IP address. If you are writing in PHP, that's something along the lines of:
$ip = @$REMOTE_ADDR;
Simply run a count of how many times that IP appears in the log table. If it is more than you want to allow, say three, then just exit the code or return to your home page.
Otherwise, check the userid / password combination. If they are good then logon as normal, else add a record of the IP address and current time to your log table and return to the logon form. It is best if you just say at this point that the details were wrong, rather than saying whether the name or password was wrong, so that you are not giving hackers any clue as to whether they are getting part of it correct.
A step further
Obviously a clever hacker might just have access to multiple IP addresses, so a step further is to either monitor the user id attempted and lock that out, or just totally lock out the logon form if there are too many failed attempts in the hour. You can always get around it by deleting the rows manually!
Keith Lunt owns Janric Website Design. If you want to know more about internet marketing, call across to the internet marketing blog and pick up a copy of our free internet marketing ebook!
1 comment:
You should take part in a contest for one of the best blogs on the web. I will recommend this site!
...
Pearson Airport Taxi
Post a Comment