Why does my website ask if I’m human?

If you have admin access to your website, you may have encountered something like the picture on this page when you try to log in to your admin area.

This is a security measure placed by our hosting company to defend your website against hacking attacks.

Note: Sometimes you need to refresh the page after entering the Re-Captcha code – do this if you get a blank screen.

This Captcha page blocks automated brute force attacks
This Captcha page blocks automated brute force attacks

In April 2013 a new threat emerged, bombarding the login pages of popular content management systems like WordPress, Joomla and many others with automated login attempts. This is known as a Brute Force Attack.

Thousands of requests were hitting each log in page per second, which caused websites to crash. It is believed the attacks were intended to get in to the website admin areas by guessing commonly used usernames and passwords. It is not known what the hackers planned to do once they got in, but you can bet it wasn’t anything good.

The solution

Heart Internet’s solution is to place a page in front of the WordPress login page with a Captcha box that the automated attacks cannot read – therefore they can’t get through and slow down the affected site.

The protection isn’t there all the time, but it appears the attacks are continuing sporadically and when a new attack is launched, the Captcha page re-appears.

It also appears if Heart detects suspicious activity from one IP address and we’ve been caught out on this before when moving from site to site to do updates.

So while it may be a pain to get past, it’s far better than the alternative.

It also underlines the importance of using strong passwords for your WordPress login.

And it should be pointed out that there is nothing inherently insecure about WordPress that made it a target for these attacks (as long as it is kept up to date, which we do). It’s more to do with the popularity of WordPress, and the tendency of some website owners to use insecure passwords and not keep it up to date.

More information