billhector

So, MDD changed every hosted WP site to protect the people that had a user name of 'admin' and a password of '123456', right? You said it yourself, changing the user name in and of itself will not stop the attack. The password is the issue. Sorry, I don't see how protecting nimrods from themselves is good for anyone. They've still got the password '123456'?! Now that we've confirmed that in fact the password is the real issue, it makes me wonder why even the word "password" was missing for Mike's email. I have a reseller account. They email I sent to my clients quoted Mike, but I also went over password security and mentioned the great product LastPass. Finally, this latest WordPress on MDD apocalypse has pretty much confirmed to me that Mike hates WordPress and would love for every last install to leave. He won't say that ever, but it's clear as rain. Too bad.

Thank you. This is exactly my point. The attack will continue whether the user name is changed or not. It makes no difference. The attack probably makes x number of attempts, and since WP isn't returning any useful information, the attack continues until the x number has been reached or the login has been successful. So, changing the user names was a pointless exercise.

Before I totally lose it, let me ask this one question: why is this brute force attack a problem if the response to a failed WordPress login is noncommittal? The error response doesn't tell you whether the user name OR password was the problem. So, changing the user name gives an attack the same information as not changing the user name, thus it doesn't stop the attack. Please explain.

My inbox just got flooded with "urgent" notices about out dated WordPress installations. Okay, I get it. But I'm wondering how useful it is to send these emails to the reseller and not the specific account admin. Because unless I then go and email each of these individuals, nothing gets done. Why not deal with the person who installed WordPress in the first place? OR, if that doesn't work (I understand you might want to leave communication to the reseller), how about adjusting the tone and content of the emails? First, take the tone down a notch. The world isn't ending. In some cases, "URGENT" seems a little much. I received one notice saying that a 3.5 WordPress was out of date -- URGENT! Well, I guess it's out of date. WordPress is now at 3.5.1. Also, the email sent to resellers is written as we've never heard of WordPress. We get it. Updates good. Old bad. Why not write a 100 word email with links to resources. Done. Or you can keep doing what you're doing ...

I was well aware that you where changing servers. That's not the issue. You kept us updated fine. What we did not know is that you were changing server names. That we did not know. At all. I will open a ticket in the morning, EDT, when i can keep on top of the communication and you can help with our settings. BTW: "mail.theirdomain.com" does not work 100% of the time. I know. It doesn't work for me, despite me setting up the dns how I thought it was supposed to be. Thank you. We'll speak later.

No. Are you serious? Let me get this straight. You are now going to change the server name so that I have to change all my email preferences (along with all my clients, because I have a reseeler account)? Really? And this happens at sort of a random time, in the middle of the night? Which I guess wouldn't make much of a difference if I could have created a subdomain name that was mapped and worked (for example, mail.domain.com). But I could never get that to work, for me or clients, so I just gave up. Please tell me that the situation isn't as dire as I think. BW

This has nothing to do with the server migration? Any news on that front?