In my ongoing attempts to improve the security of WordPress and to clarify the brute-force threat, I have isolated the code for my login patch into an include file and added some notes to explain why the wp-login.php file comes up as a vulnerability.
I have also downgraded the severity of this threat and changed it to an "opt-in" fix instead of being marked in red and default checked for automatic repair. This is partly because I have perceived an ebbing of the brute-force attacks on WordPress sites that spiked a couple of months ago, but also because a moderator on wordpress.org suggested that I should not be modifying WordPress core files.
I will also be taking the "Dave" and other references from the movie 2001: A Space Odyssey out of the login patch because some people (not named Dave) didn't see the humor in it and I don't want to upset anyone.
Comments and suggestions are always welcome.
In the last two weeks I have been working on perfecting a patch for the wp-login.php page that will prevent a swarm of brute-force attacks from guessing your password or bringing down your server. When I first released this patch it was a bit overzealous and caused a few people to be temporarily locked out of their own blogs as their login attempts were incorrectly identified as brute-force attacks.
This patch of mine has also caused a small wave of paranoia because it displays the unconventional (and a possibly spooky) message "Just what do you think you are doing, Dave?" whenever brute-force or too many failed logins is detected. This message is a quote from the movie 2001: A Space Odyssey. Even though I intended this message to bring out the humor of the situation, I also feel it is very relevant (unless your name is not Dave
The linked response "Open the Pod bay doors, HAL!" also a quote from the same movie and it's just there to link you back to the login page should you wan to try to login again.
I have also received many inquiries as to why the wp-login.php file is flagged as an WP Login Exploit on every install of WordPress, even brand new installs of the most current version. This is simply because WordPress has no built-in brute-force protection and it's login page is exploitable. It has been clearly demonstrated through the widespread attacks on login pages around the world as of late that it is not only vulnerable to password cracks via brute-force but it also has been shown to overload and bring down a whole server if the attacks are too numerous. That is why my patch also prevents the loading of the WordPress bootstrap if a brute-force attack is detected so that your server's resources are not tied up just telling hackers if they guessed the right password or not.
I hope this helps answer your questions about this new threat and my approach to solving it. Feel free to leave a comment if I could do better explaining anything.Aloha,