In the last two weeks I have been working on perfecting a patch for the wp-login.php page that will prevent a swarm of brute-force attacks from guessing your password or bringing down your server. When I first released this patch it was a bit overzealous and caused a few people to be temporarily locked out of their own blogs as their login attempts were incorrectly identified as brute-force attacks.
This patch of mine has also caused a small wave of paranoia because it displays the unconventional (and a possibly spooky) message “Just what do you think you are doing, Dave?“ whenever brute-force or too many failed logins is detected. This message is a quote from the movie 2001: A Space Odyssey. Even though I intended this message to bring out the humor of the situation, I also feel it is very relevant (unless your name is not Dave :-)
The linked response “Open the Pod bay doors, HAL!“ also a quote from the same movie and it’s just there to link you back to the login page should you wan to try to login again.
I have also received many inquiries as to why the wp-login.php file is flagged as an WP Login Exploit on every install of WordPress, even brand new installs of the most current version. This is simply because WordPress has no built-in brute-force protection and it’s login page is exploitable. It has been clearly demonstrated through the widespread attacks on login pages around the world as of late that it is not only vulnerable to password cracks via brute-force but it also has been shown to overload and bring down a whole server if the attacks are too numerous. That is why my patch also prevents the loading of the WordPress bootstrap if a brute-force attack is detected so that your server’s resources are not tied up just telling hackers if they guessed the right password or not.
I hope this helps answer your questions about this new threat and my approach to solving it. Feel free to leave a comment if I could do better explaining anything.
Hey Eli, question for you… when I run the anti-malware I get the notification that my wp-login.php is susceptible to a brute force attack. I click the automatically fix (which I’ve done on other sites using your plugin successfully) on one particular site and I get a “fixing /var/www/clients/client12/web31/web/wp-login.php … Failed!” Any idea what this could be from?
Usually it’s a permission issue. You should make sure that the wp-login.php file is writeable by the webserver.
Great plugin! Wondering if you are considering a scheduler feature or if you could propose how to schedule a scan.
Thanks! I am working on this feature but it is not a simple matter because of the complexities involved with scanning so many subdirectories at once. I hope to have this feature finished or at least ready for testing by March.