In the past we have reported about many such cyber attacks, where attackers hacked into the WordPress blogs using password brute-force attack or they used the PINGBACK vulnerability in older versions of WordPress without compromising the server.
WordPress has a built in functionality called Pingback, which allows anyone to initiate a request from WordPress to an arbitrary site and it can be used for a single machine to originate millions of requests from multiple locations.
We have seen more than 100,000 IP addresses involved in the recent DDOS attack and the victim’s Forum website received more than 40,000 requests in 7 minutes from different WordPress blogs and IP addresses.
According to a helpful Technet article on Microsoft’s website, an ideal number of logni attempts before locking a user out of his or her account is 50.
Mainly to give the user a reasonable number of atempts to log in without having to resort to calling the Help Desk for such a routine, repeatable problem. But for those who don’t have the guts to set the account lockout threshold that high, you can start with as little as 4 max attempts and as much as 10 and see how you like the results. More from Microsoft:
The Account lockout threshold policy setting determines the number of failed logon attempts that will cause a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the number of minutes specified by Account lockout duration expires. You can set a value from 1 through 999 failed logon attempts, or you can specify that the account will never be locked out by setting the value to 0. If Account lockout threshold is set to a number greater than zero, Account lockout duration must be greater than or equal to the value of Reset account lockout counter after.
Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed logons that can be performed nearly eliminates the effectiveness of such attacks.
However, it is important to note that a denial-of-service attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of Account lockout threshold, the attacker could potentially lock out every account.
Because it will not prevent a brute force attack, a value of 0 should only be chosen if both of the following criteria are explicitly met:
A robust auditing mechanism is in place to alert administrators when a series of failed logons are occurring in the environment.
If these criteria cannot be met, set Account lockout threshold to a high enough value that users can accidentally mistype their password several times before they are locked out of their account, but ensure that a brute-force password attack would still lock out the account. It is advisable to specify a value of 50 invalid logon attempts. Keep in mind, however, that although this setting can reduce the number of Help Desk calls by reducing the number of user lockouts, it cannot prevent a denial-of-service attack.
The threshold that you select is a balance between operational efficiency and security, and it depends on your organization’s risk level. To allow for user error and thwart brute force attacks, a setting above 4 and below 10 could be an acceptable starting point for your organization.