WordPress appears to be the target of a fairly large scale attack. Some of the sites that I work on are giving an error message when someone tries to log into then.  I have not seen the “Not Acceptable” error message when trying to go to the wp-login.php page before.  But as to why some sites are affected and others are still functioning as they should is puzzling as well as the wp-login pages are the same for all of the sites I have looked at.  

Some users of WordPress are probably experiencing an inability to log in as for the past couple weeks there has been a wide scale attack on WordPress sites.  Some hosting companies are reporting over 90,000 IP addresses participating in the Brute Force Attack on WordPress sites attempting to gain access by systematically guessing password.  The symptoms of this attack are a very slow admin area on your WordPress site, or an inability to log in.  In some instances your site could even intermittently go down for short periods of time.

Those of you who have passwords that are easy to guess might want to think about updating your password to something harder to guess.  Using letters, capital letters, numbers, and even some symbols in what your password is can make it harder to guess your password making these kind of brute force attacks almost useless.

Another thing that is recommended is to not use the default username of admin as your administrator account.  By changing this to something other than admin it also requires these hackers to know the username which makes it a little harder for a script to guess the password of the administrator account as it assumes admin is the correct username.

There are some plugins out there that can help to combat abusive behavior.  Like Limit Login Attempts – http://wordpress.org/extend/plugins/limit-login-attempts is one such plugin that allows you to set a time limit and attempted login amount so that brute force attacks are difficult if not impossible to do.  By limiting the failed number of attempts after 5 for example it would lock them out of the system so they could not continue guessing passwords.

There are such services out there as well like CloudFlare that can help provide an extra level of security for websites as well DDOS protection.

UPDATE:
It appears that most hosts have disabled people abilities to log into the backend of WordPress as a preventative measure against the brute force attacks that are currently happening.

Share This

We are using cookies on our website

Please confirm, if you accept our tracking cookies. You can also decline the tracking, so you can continue to visit our website without any data sent to third party services.