Application Bot Protection Layer
In April, 2013, an unprecedented worldwide bot driven attack was initiated against WordPress sites. The attack hits sites at a massive rate, attempting to brute force administrator passwords. Apart from the security risk to the sites themselves, the ferocity of the attack is such that it effectively represents a DDOS attack on the hosting servers. The attack is often levied from tens of thousands of near simultaneous IPs.
After coding and testing a number of mitigation solutions to deal with the learning and evolving nature of the attack, GCom Internet has settled on a front end Bot Protection Layer challenge which we've installed to protect all wp-login.php accesses. When users now access their WordPress administrator login, they are first presented with a Bot Protection Layer challenge dialogue. The instructions contained in the dialogue supply an alphanuma string to be entered as a user name, and a simple number sum to be entered as a password. These values need to be manually entered as a first layer protection for all WordPress administrator logins. The user name and password values will be changed from time to time as required for effectiveness.
General opinion is that similar attacks will eventually be levied against other popular CMS and related applications, and we will add this top level Bot Protection Layer challenge to other applications as required.
We strongly advise against ever removing the default security provided by the Bot Protection Layer from your website. Normally your website should be designed in such a way that only CMS administrators will ever encounter the challenge dialogue, and if this is not the case, your first step should be to debug and correct your website design and application processes.
However, if you do ultimately decide to remove the Bot Protection Layer from a specific file, you can easily do so either by renaming the file and updating your code accordingly, or by adding an override directive to a .htaccess file.
A minimal override in .htaccess for wp-login.php would be along the lines of...
<FilesMatch "^wp-login\.php$"> Satisfy Any </FilesMatch>
If you opt to remove or bypass our standard Bot Protection Layer, please be sure to replace the brute force protection it offers with an alternative method. For WordPress, a number of relevant plugins are available at...