WP Tavern › Forums › Create Topic
mark k. Bootstraping wordpress has almost the same cost to whatever page you load. So having 1% of your site traffic directed at the login page should not be a big thing. If the site can not handle a spike of 1% in traffic then it is next to needing an hardware upgrade and blocking the login will not really change that. Not only read is much faster then write out of the gate, reads you can also cache and have an even better performance (object cache or DB cache settings) , but writes can not be cached and worse, they invalidate any cache you already have hurting the next read as well (this is very general statement and of course depends on the specifics). Limiting access by IP is a great way to lock yourself out of your system If you are too specific, and since US and UK are the second and third source of attacks you can not use any source of geographic filtering. Anyway network users do not have access to htaccess and nginx can not be easily change without root access to the server, so this technique can be used by a very small amount of wordpress users. and if you keep doing it at PHP level so anyone can use it, then you will still pay the “penalty” for bootstraping wordpress. As for moving the access points I agree but there are 2 caveats 1. do it wrong and you are looked out without anybody being able to help you since your config is different then the normal one. 2. For some protocols to work you need to expose your end pont in any case. this goes for comment and xml-rpc because of pingbacks. And even for login, if you stop the automatic redirect from wp-admin you hurt usability. Anyway, this discussion about blocking IPs and endpoints reminds me the joke about the fact that companies in trouble will first thing cut their coffee budget because everybody understands in coffee but the real expanses are harder to understand and therefor harder to cut. Same here, brute force is not a real problem but people always focus on it because it is easy to understand. Main breaches to wordpress are via badly coded plugins and themes but everybody installs them without doing even minimal security review of them. There is nothing wrong with cutting the coffee budget if you can, it is just not the thing that will likely move your company from red to black.
mark k.
Bootstraping wordpress has almost the same cost to whatever page you load. So having 1% of your site traffic directed at the login page should not be a big thing. If the site can not handle a spike of 1% in traffic then it is next to needing an hardware upgrade and blocking the login will not really change that.
Not only read is much faster then write out of the gate, reads you can also cache and have an even better performance (object cache or DB cache settings) , but writes can not be cached and worse, they invalidate any cache you already have hurting the next read as well (this is very general statement and of course depends on the specifics).
Limiting access by IP is a great way to lock yourself out of your system If you are too specific, and since US and UK are the second and third source of attacks you can not use any source of geographic filtering. Anyway network users do not have access to htaccess and nginx can not be easily change without root access to the server, so this technique can be used by a very small amount of wordpress users. and if you keep doing it at PHP level so anyone can use it, then you will still pay the “penalty” for bootstraping wordpress.
As for moving the access points I agree but there are 2 caveats 1. do it wrong and you are looked out without anybody being able to help you since your config is different then the normal one. 2. For some protocols to work you need to expose your end pont in any case. this goes for comment and xml-rpc because of pingbacks. And even for login, if you stop the automatic redirect from wp-admin you hurt usability.
Anyway, this discussion about blocking IPs and endpoints reminds me the joke about the fact that companies in trouble will first thing cut their coffee budget because everybody understands in coffee but the real expanses are harder to understand and therefor harder to cut. Same here, brute force is not a real problem but people always focus on it because it is easy to understand. Main breaches to wordpress are via badly coded plugins and themes but everybody installs them without doing even minimal security review of them.
There is nothing wrong with cutting the coffee budget if you can, it is just not the thing that will likely move your company from red to black.
Name *
Email *
Website:
Topic Title (Maximum Length: 80):
Forum: — No forum —AI and WordPress Articles Blocks Showcase Discussions Events Introductions Jobs and Working in WordPress Podcast Episodes Site and Block Editor
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
Email Address
Submit
Enter the destination URL
Or link to existing content
