Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stop tracking failed login attempts #547

Closed
frankiejarrett opened this issue May 22, 2014 · 5 comments · Fixed by #548
Closed

Stop tracking failed login attempts #547

frankiejarrett opened this issue May 22, 2014 · 5 comments · Fixed by #548

Comments

@frankiejarrett
Copy link
Contributor

Yesterday @Japh, @lukecarbis and I had a call to discuss data usage of Stream and how we might be able to improve things.

Japh had gathered some real data from a site using Stream, and to our surprise, Failed Login Attempts accounted for nearly 96% of all records! 46,000 of 48,000 records in just 15 days. Looking at these numbers, it's almost as if Stream is primarily serving as a failed login tracker and just happens to track a few other things too 😄

After a lot of discussion, we came to the conclusion that Stream should stop tracking failed login attempts altogether. Here were the main reasons:

  1. Data storage needs for Stream can be reduced by up to 95% in some cases.
  2. A failed login attempt doesn't write anything to the DB, Stream is capturing something that isn't really a site change. The core purpose of Stream is to show what changes are being made to the DB by logged in users.
  3. Stream isn't doing anything to solve the problem of failed logins, the only thing it does it tell you that they are happening.
  4. There are other plugins, like Brute Protect by @samhotchkiss and team, whose sole purpose is to identify and prevent the problem of brute forced login attempts. Users should be encouraged to use complete login security solutions like this, and Stream can provide logs of what happened after any known breach.
  5. We can offer Failed Login Attempts tracking as a free extension plugin, if people still want that functionality. Think Link Manager.

/cc @shadyvb, @westonruter, @jonathanbardo

@westonruter
Copy link
Contributor

👍

@frankiejarrett frankiejarrett changed the title Stop tracking failed login attempts Stop tracking failed login attempts, provide as plugin May 22, 2014
@frankiejarrett frankiejarrett changed the title Stop tracking failed login attempts, provide as plugin Stop tracking failed login attempts May 22, 2014
@jonathanbardo
Copy link
Contributor

I think it's a very good idea! The free plugin approach is a great
alternative for those who will be seeking this feature.

On Thursday, May 22, 2014, Weston Ruter notifications@github.com wrote:

[image: 👍]


Reply to this email directly or view it on GitHubhttps://github.com//issues/547#issuecomment-43901793
.

Jonathan Bardo
Web Developer
[image: X-Team] http://x-team.com/

@samhotchkiss
Copy link

Hey Frankie, thanks for looping me in here.

We're rolling out our big 2.0 release to BruteProtect later tonight, we've
been working around the clock on it since January. You can check it out
from http://alpha.bruteprotect.com/ if you're interested. We'd love to
talk to figure out some ways that we can work together.

Frankie, are you guys going to be at WordCamp Chicago?

Sam Hotchkiss :: Principal :: Hotchkiss Consulting Group
122 Front Street, Second Floor, Bath, Maine 04530
P: 207.200.4314 :: Skype: hotchkiss.consulting

On Thu, May 22, 2014 at 1:08 PM, Frankie Jarrett
notifications@gh.neting.ccwrote:

Yesterday @Japh https://github.com/Japh, @lukecarbishttps://github.com/lukecarbisand I had a call to discuss data usage of Stream and how we might be able
to improve things.

Japh had gathered some real data from a site using Stream, and to our
surprise, Failed Login Attempts accounted for nearly 96% of all records!
46,000 of 48,000 records in just 15 days. Looking at these numbers, it's
almost as if Stream is primarily serving as a failed login tracker and
just happens to track a few other things too [image: 😄]

After a lot of discussion, we came to the conclusion that Stream should
stop tracking failed login attempts altogether. Here were the main reasons:

  1. Data storage needs for Stream can be reduced by up to 95% in some
    cases.
  2. A failed login attempt doesn't write anything to the DB, Stream is
    capturing something that isn't really a site change. The core
    purpose of Stream is to show what changes are being made to the DB by
    logged in users.
  3. Stream doesn't do anything to solve the problem of failed logins,
    the only thing it does it tell you that they are happening.
  4. There are other plugins, like Brute Protecthttps://bruteprotect.com/by
    @samhotchkiss https://github.com/samhotchkiss and team, whose sole
    purpose is to identify and prevent the problem of brute forced login
    attempts.
  5. We can offer Failed Login Attempts tracking as a free extension
    plugin, if people still want that functionality. Think Link Managerhttps://wordpress.org/plugins/link-manager/
    .

/cc @shadyvb https://github.com/shadyvb, @westonruterhttps://github.com/westonruter,
@jonathanbardo https://github.com/jonathanbardo

Reply to this email directly or view it on GitHubhttps://github.com//issues/547
.

@lukecarbis
Copy link
Contributor

👍

1 similar comment
@Japh
Copy link

Japh commented May 22, 2014

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants