Staying ahead of the bots

In the last few months, we’ve seen increasingly complex attacks on WordPress login forms. These attacks are designed to identify and illegally access any accounts with weak passwords (rather than targeting and exhaustively attacking a single account).

Because these attacks have become more clever, we’ve had to improve our approach in order to keep our clients’ sites safe. So, from now on, users may occasionally have to complete a captcha (a simple word test to prove that you’re a human) in order to log into your site.

The new controls are designed to stop bots from attempting to guess passwords by completing your login form. These bots distribute login attempts across numerous IP addresses and WordPress accounts. Because these attacks are distributed, no one IP address ever accumulates enough failures to trigger an automatic ban.

The controls we’ve added today keep track of failures across IP addresses and accounts, and will cause a captcha to be shown after the fifth consecutive login failure from a particular IP address, or on a particular account.

We’re using a captcha because locking the account or blocking the IP address could cause legitimate users to lose their access: something we’re keen to avoid. The captcha achieves the same goal (blocking bots), because it requires human reasoning to complete. This retains access for real users, while preventing bots from working.

At the moment, we’re not aware of any bots which are clever enough to complete captchas. We will of course continue to monitor all the sites we host, and endeavour — as always — to stay one step ahead of the bad guys.