Brute force attacks on a shared hosting

Last night I got an email from my hosting company, they shut down one of my WordPress site for it was brute force attacked on login page. The support guy asked me if I could recognize the source IP, and sent a Google search results link about how to solve the problem, that means I have to solve the problem by myself.

I’m pretty upset when I got this email, but still tried to block the IP in the .htaccess file. I found the hosting company changed the file privileges so I couldn’t update the .htaccess. The only thing I could do is replied the email and called their EMERGENCY service number, which was answered by an answering machine, asked them how could I do any fix if I couldn’t edit the .htaccess file.

10 minutes later the support guy called back, he asked me to save the .htaccess in another filename then they will replace it. And told me they need my Plesk username and password to recover my site. This is really weird that a hosting company can shut down a site without the admin username and password, but request those credentials when they need to bring the site back.

I really don’t understand why they didn’t just block the IP, since it’s so obvious that it was performing brute force attacks. They said because the server is a shared environment they can’t block the IP just for my site, which is the weirdest excuse I’ve ever heard from a hosting company. (After talked to MediaTemple, I know it’s my bad, most shared hosting won’t do such protection for a single site.) And even they can change the file privileges, they can’t block the IP in my .htaccess, it should be my own business.

At last they suggested me to add a CAPTCHA on the login page or setup a whitelist IPs in .htaccess to keep the brute force attacks away. I did the later.

I’m not sure if I have too much expectation to a shared hosting. (Yes, I did. When out of luck, hosting on a shared server would be like sitting on a bomb.) I do plan to move my sites to a VPS on MediaTemple this year, not because of the security issues, but for performance optimization. I’ll cover more on this in the future. Any suggestions are welcome.

Updates on Jan, 20: Modify the content after talked to MediaTemple.

I’m a senior web developer helping clients build their websites to grow businesses. Currently I’m based in Taipei, Taiwan.

I write things about WordPress, AngularJS and life. Whenever you’d like to find someone to talk about these topics, just get in touch!