Brute force attacks seem to the be most common vulnerability on WP installs
- Brute force attacks are not WordPress vulnerability. They are password vulnerability, if bad passwords are used.
- They are common, but if they are “the most common” in occurrences and, more importantly, breaches is questionable.
rate limiting ought to be relatively easy to bake into WP itself
Had you tried to bake this easy thing? 🙂
I am yet to see login “security” plugin that didn’t cause login issues long term, clashed with less than mainstream browsers, clashed with password manager applications, and so on. Ok, maybe there is one I can think of — for Google 2FA.
Anyone yet to demonstrate that easy thing can be done reliably in plugin. Doing it at core scale? Ugh.
Why isn’t this basic security feature included by default?
So there you have it:
- It’s not basic.
- It’s not easy to implement.
- It works just fine without it.