Home ยป Archives for Patrick Barnes

Why does my website ask if I’m human?

This Captcha page blocks automated brute force attacks

If you have admin access to your website, you may have encountered something like the picture on this page when you try to log in to your admin area.

This is a security measure placed by our hosting company to defend your website against hacking attacks.

Note: Sometimes you need to refresh the page after entering the Re-Captcha code – do this if you get a blank screen.

[caption id="attachment_1328" align="alignright" width="400"]This Captcha page blocks automated brute force attacks This Captcha page blocks automated brute force attacks[/caption]

In April 2013 a new threat emerged, bombarding the login pages of popular content management systems like WordPress, Joomla and many others with automated login attempts. This is known as a Brute Force Attack.

Thousands of requests were hitting each log in page per second, which caused websites to crash. It is believed the attacks were intended to get in to the website admin areas by guessing commonly used usernames and passwords. It is not known what the hackers planned to do once they got in, but you can bet it wasn’t anything good.

The solution

Heart Internet’s solution is to place a page in front of the WordPress login page with a Captcha box that the automated attacks cannot read – therefore they can’t get through and slow down the affected site.

The protection isn’t there all the time, but it appears the attacks are continuing sporadically and when a new attack is launched, the Captcha page re-appears.

It also appears if Heart detects suspicious activity from one IP address and we’ve been caught out on this before when moving from site to site to do updates.

So while it may be a pain to get past, it’s far better than the alternative.

It also underlines the importance of using strong passwords for your WordPress login.

And it should be pointed out that there is nothing inherently insecure about WordPress that made it a target for these attacks (as long as it is kept up to date, which we do). It’s more to do with the popularity of WordPress, and the tendency of some website owners to use insecure passwords and not keep it up to date.

More information



Using strong passwords to keep your site and email secure

WordPress login screen

If you have back end access to your site, it’s vitally important to use secure, unguessable passwords – something like this: eA8iZvXoMi7w

The same is true of email accounts.

Why do I need secure passwords?

[caption id="attachment_1066" align="alignright" width="350"]WordPress login screen WordPress login screen[/caption]

Today it’s common for website login pages to be bombarded with automated attacks that ‘guess’ passwords and try them against common user names. It’s relatively easy for these attacks to gain access to the website’s user names, so secure passwords are the only way to stop them.

This password guessing is known as a dictionary attack, where the hacker runs a list of common passwords against your website. If that doesn’t work then the next stop is a Brute Force attack, which tries generating random passwords to get in.

In our WordPress sites we never use the default ‘admin’ user name, and we generate secure passwords.

What is a secure password?

A secure password should include both upper and lower case letters, numbers and even some punctuation – but the letters must be random.

The number of characters in your password is also important – eight characters can be cracked quite quickly, while 12 increases security dramatically.

Don’t be tempted to use a word that appears in a dictionary (in any language) or a name, even if you substitute some of the letters for numbers – for example, replacing an e with a 3: Hackers are clever people and they have already thought of that!

How to generate secure passwords

The best way to generate secure passwords is to use an online password generator. There are plenty available but here’s one example.

How Big is Your Haystack provides a nice way to test your passwords against known ‘brute force’ methods used by hackers.

Better still is to use a service like LastPass, which stores your passwords safely in an encrypted ‘vault’, prompts you went you need to enter your passwords, and will also suggest secure passwords when you are creating a new login. LastPass is free for most users, with a paid for version for extended functionality.