Just what do you think you are doing, Dave?

In the last two weeks I have been working on perfecting a patch for the wp-login.php page that will prevent a swarm of brute-force attacks from guessing your password or bringing down your server. When I first released this patch it was a bit overzealous and caused a few people to be temporarily locked out of their own blogs as their login attempts were incorrectly identified as brute-force attacks.

This patch of mine has also caused a small wave of paranoia because it displays the unconventional (and a possibly spooky) message "Just what do you think you are doing, Dave?" whenever brute-force or too many failed logins is detected. This message is a quote from the movie 2001: A Space Odyssey. Even though I intended this message to bring out the humor of the situation, I also feel it is very relevant (unless your name is not Dave :-)

The linked response "Open the Pod bay doors, HAL!" also a quote from the same movie and it's just there to link you back to the login page should you wan to try to login again.

I have also received many inquiries as to why the wp-login.php file is flagged as an WP Login Exploit on every install of WordPress, even brand new installs of the most current version. This is simply because WordPress has no built-in brute-force protection and it's login page is exploitable. It has been clearly demonstrated through the widespread attacks on login pages around the world as of late that it is not only vulnerable to password cracks via brute-force but it also has been shown to overload and bring down a whole server if the attacks are too numerous. That is why my patch also prevents the loading of the WordPress bootstrap if a brute-force attack is detected so that your server's resources are not tied up just telling hackers if they guessed the right password or not.

I hope this helps answer your questions about this new threat and my approach to solving it. Feel free to leave a comment if I could do better explaining anything.

Aloha,
Eli Scheetz

Tags: , ,

4 Comments on "Just what do you think you are doing, Dave?"

  • tc0nn
    On May 13, 2013 at 4:47 am, tc0nn said:

    Every site I add (even a brand new one), when I scan a complete site with updated def’s, it always alerts on wp/wp-login.php stating the following is found(1)… Any suggestions on how to fix or double check? The file looks fine.

    <?php
    /**
    * WordPress User Page
    *
    * Handles authentication, registering, resetting passwords, forgot password,
    * and other user handling.
    *
    * @package WordPress
    */

    /** Make sure that the WordPress bootstrap has run before continuing. */
    require( dirname(__FILE__) . '/wp-load.php' );

    Reply
    • Anti-Malware Admin
      On May 13, 2013 at 6:06 am, Anti-Malware Admin said:

      I have received many inquiries as to why the wp-login.php file is flagged as a WP Login Exploit on every install of WordPress, even brand new installs of the most current version. This is simply because WordPress has no built-in brute-force protection and the login page is exploitable. It has been clearly demonstrated through the recent widespread attacks on WordPress login pages around the world that it is not only vulnerable to password cracks via brute-force but it has been shown to overload and bring down a whole server if the attacks are too numerous. That is why my patch prevents the loading of the WordPress bootstrap if a brute-force attack is detected so that your server’s resources are not tied up telling hackers if they guessed the right password or not.

      So basically, if my plugin finds that the first line of code in the wp-login.php file is loading the wp-load.php file without my protection before it then it flags it as a vulnerability. Applying my patch before this first line of code filters out this plague of attack so that they don’t even load WordPress and your server is free to serve the pages that real visitors are requesting.

      I hope this helps answer your questions about this new threat and my approach to solving it.

      Reply
  • Paul W. Davis
    On May 12, 2013 at 10:17 am, Paul W. Davis said:

    Don’t really care for the failed login humor. It is upsetting, especially since my site is targeted for brute force login attempts and I get the message even when my login is correct.

    You need to separate the two: failed logins and too many brute force attempts.

    Simply giving someone a blank screen for a failed login attempt would be fine.

    Letting a proper login go through and then informing on the Dashboard that “X” number of failed attempts were performed would be better.

    Not sure what to think at the moment.

    Reply
    • Anti-Malware Admin
      On May 12, 2013 at 12:11 pm, Anti-Malware Admin said:

      Thank you for your feedback. Everything I have put into this plugin is there to benefit you. There have been just a few complaints/confusion about the message I choose to display here. Remember, this message is meant to be displayed to those individuals that are trying to hack your site. However, I never meant to upset or confuse any of my users, for that I am sorry.

      This login patch has changed many time since I created it and it will continue to change to adapt to the primary threat it was designed for and the feedback from users like you. The current script let you have six failed login attempts before displaying the message and provides a link to try again after that. I didn’t want to just have a blank white page because I felt that if a user here to get that page while trying to login they wouldn’t know why they got it or what to do next and would be even more confused. But all that is secondary to the main function of this script.

      The main thing this script does is detect the type of brute-force attack that has been causing servers to crash because it posts login attempts so frequently that the server cannot load the WordPress framework fast enough to keep up. These attacks usually come from multiple spoofed IP addresses so there is no point in logging then. My script must be loaded before the WordPress bootstrap in order to prevent the server from being overloaded so there is no access to the WordPress database for logging or admin notifications anyway.

      Basically, this patch was designed to keep you server from crashing while under a massive brute-force attack and block bots and scripts from posting to the WordPress login page. It should let proper logins go through, and a reasonable number of failures too. If you are having trouble with this patch or receiving the error too frequently I would be more than willing to personally check it out for you. Also, please feel free to leave more suggestion on how to make this, or any other feature, better.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>