Brute force attacks on a shared hosting

Last night I got an email from my hosting company, they shut down one of my WordPress site for it was brute force attacked on login page. The support guy asked me if I could recognize the source IP, and sent a Google search results link about how to solve the problem, that means I have to solve the problem by myself.

I’m pretty upset when I got this email, but still tried to block the IP in the .htaccess file. I found the hosting company changed the file privileges so I couldn’t update the .htaccess. The only thing I could do is replied the email and called their EMERGENCY service number, which was answered by an answering machine, asked them how could I do any fix if I couldn’t edit the .htaccess file.

10 minutes later the support guy called back, he asked me to save the .htaccess in another filename then they will replace it. And told me they need my Plesk username and password to recover my site. This is really weird that a hosting company can shut down a site without the admin username and password, but request those credentials when they need to bring the site back.

I really don’t understand why they didn’t just block the IP, since it’s so obvious that it was performing brute force attacks. They said because the server is a shared environment they can’t block the IP just for my site, which is the weirdest excuse I’ve ever heard from a hosting company. (After talked to MediaTemple, I know it’s my bad, most shared hosting won’t do such protection for a single site.) And even they can change the file privileges, they can’t block the IP in my .htaccess, it should be my own business.

At last they suggested me to add a CAPTCHA on the login page or setup a whitelist IPs in .htaccess to keep the brute force attacks away. I did the later.

I’m not sure if I have too much expectation to a shared hosting. (Yes, I did. When out of luck, hosting on a shared server would be like sitting on a bomb.) I do plan to move my sites to a VPS on MediaTemple this year, not because of the security issues, but for performance optimization. I’ll cover more on this in the future. Any suggestions are welcome.

Updates on Jan, 20: Modify the content after talked to MediaTemple.

Posts You Might Also Like:

In

3 responses

  1. Week 3 on blogging and marketing 1Fix.io – 1Fix.io

    […] one group and still “building influence” in another group. I started a discussion about my site was brute force attacked last weekend, and got some impressive comments, which I’ll write another post about website security later […]

    Reply
  2. Lessons learned after brute force attacks – 1Fix.io

    […] days ago one of my sites got brute force attacked. The site is hosted on a shared server, and the webhosting shut my site down for consuming too much […]

    Reply
  3. Keep WordPress Safe From Brute Force Attacks with Fail2ban

    […] I personally hate brute force attacks most, which cost one of my clients’ sites down and a painful customer service experience. So last year when I started some new WordPress sites on a Media Temple VPS hosting, I chose to use […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *