Over the past 6 months or more we have seen huge widespread brute force attacks against Wordpress installations on our servers. A brute force attack is where a "bot" or other automated system keeps repeatedly trying to login to a system by trying many different combinations of usernames and passwords until it finds one that works. These attacks are widespread and executed very quickly, with thousands of username and password combinations being tested against websites every second. These attacks not only pose a security risk to your Wordpress websites if you are using the default admin username and/or a weaker password, but these attacks also cause our servers to consume far more resources than normal whilst they are processing these thousands of login requests every second. It should be noted that these attacks are not unique to ThisWebHost, but all hosting providers are experiencing this.
In order to try and prevent these attacks and to prevent the "bots" from hitting the Wordpress login page at all, we have implemented a global and server wide third party authentication mechanism on Wordpress login pages. This system asks you to input the username and password listed on the popup box. The implementation looks like this:
This box will only appear when accessing the Wordpress login page, which typically occurs when trying to access the Wordpress dashboard. It may also occur if you have a website that integrates into the 'users' system of Wordpress. If you see such a box, you must enter the username and password listed in the popup box text. Once you have entered these details, you should not need to do so again until you create a new browser session.
For those having difficulty determining which username and password to use, we have underlined the necessary information in this screenshot:
To reiterate, you need to enter the username and password listed in the popup box above. Please do not enter your Wordpress username and password or your cPanel username and password as these will not work. You must enter the username and password listed in the box only.
If you are unable to view the text which provides the username and password on your local device, you may use the username and password listed in the above screenshot. These are accurate and will be kept up to date. Please note the password should not end with the "." character.
Invalid Logins/Closing the Popup Box
If you enter an invalid username and password multiple times then you may see a 401 error with a message stating "Authentication required". Simply refreshing the page should allow you to try again. This is intended by design, and is not considered insecure - we have written more about this below. Upon entering the credentials successfully you will then be able to access your traditional Wordpress login page and will be able to login using your own configured Wordpress details.
Purpose and Design
The idea behind this implementation is that the "bots" are designed to brute force Wordpress login pages and are not expecting third party authentication. Because of this, they should therefore not be able to read or interpret the text in the popup box at all and subsequently should not be able to progress beyond this authentication method and attack Wordpress directly.
Please note that this system cannot be disabled on an individual site basis, and so will remain globally active on our servers. It does not hook into or modify any Wordpress files and instead operates at the server level. It will also work on new Wordpress installations without needing any configuration.
iOS & Mobile Users
We are aware that currently iOS and some mobile devices do not render the complete authentication message. Instead, they simply have a prompt box requesting a username and password. This is a limitation and issue with these devices and is not something we can resolve server side. To work around this we have employed a fixed username and password combination that will not change, and can therefore be entered onto mobile devices from memory.
We realise this may be an inconvenience to users, and we are indeed very sorry for this. We do hope, however, that you see the significant benefits that this brings; namely that this is an additional layer of security for your Wordpress websites, as well as increasing server performance for all.
This system currently blocks in excess of 1 million attacks per server every day. Due to how successful this has been in helping to prevent automated attacks against Wordpress, we have no immediate plans to deactivate or disable this implementation.