Leave a Reply

1 comment

  1. I made an answer out of this now to give a more detailed write-up to your question.

    As the botnet is so large and the attack is happening with so much IPs (some providers say they have seen >90.000 different addresses) it makes no sense anymore to start blocking single IPs (using plugins like Limit Login Attempts or fail2ban at the server side) like we did in the past.

    Your hosting company is quite right. Your page maybe is under attack. Like almost all other wordpress installations in the moment are also under attack. But they implemented a solution that’s actually preventing you from working with your wordpress install.

    The only REAL solution in the moment is to have a strong password that cannot be brute-forced (optionally don’t even have a username admin). If you really have a safe password you can tell your provider to disable that limitation without any worries.


    Also following a long discussion at the wp-hackers mailinglist, Sam Hotchkiss actually came up with a plugin called BruteProtect you could additionally use. This plugin logs all failed logins from any wordpress install this plugin is installed on and blocks any IP that has to many failed attempts.