Not all ‘upgrades’ are good

WordPress software is behind a large chunk of the web – over a quarter of the top ten million sites, apparently. The good thing about this is that you can find easily someone who knows WordPress and can at least to try to help with any problems. The bad thing about this is that breaking into WordPress-based sites is a very popular activity for hackers and the attempts are both endless and automated.

It would help if the authors of WordPress software took security a bit more seriously: unless you do something about it, anyone can attempt to login to your site as many times as they like, as fast as they like – they even made it easy for attackers to try hundreds of user names and passwords at the same time* – with nothing to go ‘Hang on, you’ve tried a thousand different user name and password combinations in the past minute, I don’t think you’re really a human with legitimate access to this site…’** Allow this and eventually the right combination will be found, and the attacker can do anything they like on your site.

So there’s a bit of software on Your Escort Site websites that looks out for repeated failures to login and blocks access to the site for a while if that happens. The ‘try hundreds at once’ attack is blocked too.

But just trying a user name and password involves the software remembering how to check them, looking through a database and doing some maths to see if they’re correct. When this is happening hundreds of times a second, it can slow everything down for real users.

So Your Escort Site websites have another check to see if someone attempting to login is real. The web server expects a password before it will show the web page used to login to your site. Get it wrong, and the WordPress software never knows it happened. It’s proved very useful whenever there’s a major attack on WordPress-based sites.***

As merely having a password on this page defeats the vast majority of ‘bots’ trying to break in, it doesn’t need to be a good one. So it’s a simple three letter word. But even that can be forgotten, so the web server sends a message to the browser telling the visitor what it is! This should be displayed in the small pop-up asking for the password. (Bots tend to be very stupid and can’t read the message.)

Different browsers show this login different. Here’s Firefox getting it right:

Firefox showing the initial popup correctly

Firefox gets it right – can YOU guess what the user name and password are?

Chromium, Google Chrome and Opera (both of which are based on the Chromium software) used to show the message in a slightly different way, but since a recent upgrade no longer do so:

Chrome not showing the message from the web server

Chrome gets it wrong

Why this was thought to be an improvement, I don’t know.

Either way, once the short user name and password are entered, the user gets to the real login screen which looks like..

An example of the real login page

The real login page

.. and that’s where the real user name and password is entered.

* The feature that allowed that is used in another bit of software they wrote, but there is zero legitimate use for this aspect of it. It’s still there, sigh.

** They have, finally, stopped suggesting sites have one particular name for an account that can do anything on the site, with the result that it was the one that most hack attempts tried. It only took several years of pointing this out before the change was made too, sigh.

*** Every few months, basically.

One thought on “Not all ‘upgrades’ are good

  1. Eunhee

    So far I never had any problem with my website based on wordpress. Probably all thanks to you… Because you installed this feature and some other plugins too.

    I am now trying to make another website with wordpress and scared as I might fail to manage it properly (security and spam) without you behind!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *