On Friday April 12, 2013 a trial of securing all WordPress logins was implemented in response to the increasing and ever present danger of sites being hacked due to outdated WordPress installations.
In April, an unprecedented worldwide bot driven attack was initiated against WordPress sites. The attack hits sites at a massive rate, attempting to brute force administrator passwords. Apart from the security risk to the sites themselves, the ferocity of the attack is such that it effectively represents a DDOS attack on the hosting servers. The attack is often levied from tens of thousands of near simultaneous IP’s.
After coding and testing a number of mitigation solutions to deal with the learning and evolving nature of the attack, we eventually settled on a front end CAPTCHA challenge which we’ve installed to protect all wp-login.php accesses. When users now access their WordPress administrator login, they are first presented with a CAPTCHA challenge dialogue. The instructions contained in the dialogue supply an alphanuma string to be entered as a user name, and a simple number sum to be entered as a password. These values need to be manually entered as a first layer protection for all WordPress administrator logins. The user name and password values will be changed from time to time as required for effectiveness.
General opinion is that similar attacks will eventually be levied against other popular CMS and related applications, and we will add this top layer CAPTCHA challenge protection to other applications as required.
If you simply follow the instructions by entering the username and then the Captcha response you will then be presented with the normal admin login.
If you have any questions please call our Support Team.