Enhance Security

[dominic-ks]

V0.0.7 added a number of security enhancements to help to prevent gaining unauthorised access to a user's account by requested a password reset and using a brute force / automated process to guess the reset code and set a new password for a user. The changes were:

• Added maximum allowed failed attempts to validate a code before automatically expiring it, default has been set to 3
• Added filters to include letters and well as numbers in the reset code as well as allowing you to specify your own string
• Added filters to allow the exclusion of certain roles from being able to reset their password, e.g. if you want to exclude Administrators

And was bought about by the following support request on WordPress.org:

• https://wordpress.org/support/topic/avoid-brute-force-attack/

Additional measures that could be considered are:

• Send by email a new password instead of asking the user to enter one
• If more than X bad code entered, block the IP address or API endpoint for the user for Y minutes

For the latter, we should explore if there are any facilities to log suspicious actions with security plugins like iThemes Security or WordFence so that site owners can align with their existing security policies.