In the last two weeks I have been working on perfecting a patch for the wp-login.php page that will prevent a swarm of brute-force attacks from guessing your password or bringing down your server. When I first released this patch it was a bit overzealous and caused a few people to be temporarily locked out of their own blogs as their login attempts were incorrectly identified as brute-force attacks.

This patch of mine has also caused a small wave of paranoia because it displays the unconventional (and a possibly spooky) message “Just what do you think you are doing, Dave?“ whenever brute-force or too many failed logins is detected. This message is a quote from the movie 2001: A Space Odyssey. Even though I intended this message to bring out the humor of the situation, I also feel it is very relevant (unless your name is not Dave :-)

The linked response “Open the Pod bay doors, HAL!“ also a quote from the same movie and it’s just there to link you back to the login page should you wan to try to login again.

I have also received many inquiries as to why the wp-login.php file is flagged as an WP Login Exploit on every install of WordPress, even brand new installs of the most current version. This is simply because WordPress has no built-in brute-force protection and it’s login page is exploitable. It has been clearly demonstrated through the widespread attacks on login pages around the world as of late that it is not only vulnerable to password cracks via brute-force but it also has been shown to overload and bring down a whole server if the attacks are too numerous. That is why my patch also prevents the loading of the WordPress bootstrap if a brute-force attack is detected so that your server’s resources are not tied up just telling hackers if they guessed the right password or not.

I hope this helps answer your questions about this new threat and my approach to solving it. Feel free to leave a comment if I could do better explaining anything.