Some folk might be having problems trying to login to the site. I don’t know much about this, but here’s what I do know:
- When I tried to login today, I received a response “WordPress administrator area access disabled temporarily due to widespread brute force attacks.” As far as I know, you can neither login nor logout. However, your current login will still expire (as did mine).
- Here’s a report that is probably related: Brute Force Attacks Build WordPress Botnet.
In case you are wondering how I managed to post this – I was actually logged in with two different browsers. My login with “firefox” (my preferred browser) has expired. My login with “rekonq” has not yet expired. I think it has another week to go. So I am posting this from “rekonq”.
I have noticed a lot of performance issues recently, and few posts the last 48 hours.
Sorry, I’ve been a way for a couple of days. I’ve contacted webhostingpad to see what is going on.
I received a message about this, using the reply form at my own blog:
That was from a member here, who is probably locked out at the moment.
As for my own blog (the “maybe this blog” reference), that’s actually on the wordpress site itself. If hackers are attacking that, they are probably looking for access to wordpress administration, rather than the admin of individual blogs there.
What I have gathered about the hacking attack, it is an attempt to gain access as user “admin” at sites using the wordpress software. The attack apparently brute-force tries a large number of commonly used password.
From what I gather, if the admin account is not “admin”, and if there is a strong password (long enough and random enough), then that blog is pretty safe from the attack, though the attempts might put a load on it.
In the case of this blog (TSZ), I presume that Lizzie is leasing space on a server, and the server has provided the basic software. It appears that the server staff have taken pre-emptive action to block possible access to the admin account (by blocking logins to all accounts).
Yes that is the case. The webhost has blocked access to admins – I’m not sure whether non-admins are also blocked. They have a workaround – I’ll email you.
I can’t log in using Opera; the box for the username lies right on top of the last line of instructions, so I can’t provide the correct password.
That’s annoying. hmm.
I’m using Opera and it looks like I can get in now, although I couldn’t before. Should we change user names and passwords?
Changing passwords to something hard to guess is a good idea, but I think the biggest problem is with admin passwords.
The brute force attack is trying to hack the admin accounts, so those are the ones that webhostingpad has locked down.
Fortunately none of our admins are called “admin”.
I’m still having the problem with the balloon in Opera, but somehow I clicked on a username and was told I had to log in to see a profile, and got a normal login box.
The solution for admins is two-factor authentication. http://bit.ly/12j9lV3.
webhostingpad seem to have installed an extra captcha for admins.
Anyone else seeing that?
I am assuming that everyone sees that. The system doesn’t know that you are an admin until you are logged in.
I see it too, although I am but lowly.
Let me know if there are continuing problems.
Ah, of course. I saw it when I was logging off, so I thought it might be an admin thing.
No problems, but an oddity in that in attempting to log out, I was required to do the password+math thingie.
Logout was successful
Logging back in again was just as it used to be – just my TSZ username + password, no arithmetic.
Still and all, so long as I can get into TSZ, I’m one happy bunny
Same problem in Opera. But if I click on a user’s name beside a post I get a login screen that does not include the CAPTCHA. You might want to let them know; I bet that an admin could log in by that route as well.
This morning for the first time I got the captcha-log in. I don’t know why that came up; I know I’ve logged in and commented in the last week or so and this is the first I’ve seen it.
Well, I almost failed to prove I was human, or at least to prove I was smart enough to read the directions on screen. Gack.