There is currently a massive DDoS attack targeting WordPress sites all over the world. The attack attempts to gain access to sites by running multiple logins using a dictionary of weak passwords – http://www.bbc.co.uk/news/technology-22152296.

UPDATE: This extra pop has now been removed and replaced with a CAPTCHA – read more here

Some hosting providers have blocked access to the WordPress admin area altogether, however we wanted to avoid this approach as it would stop you accessing your site to make changes. Instead an extra layer of security has been put in place to stop these automated attacks from gaining access to /wp-admin address. You will notice this when you next attempt to access your WordPress admin area as you will be asked for a separate username and password – the details are below:

Username: protected
Password: wordpress

Once this attack has stopped this extra step will be removed – you can follow progress on this here sgis.co.uk/system_status.php

UPDATE: This extra pop has now been removed and replaced with a CAPTCHA – read more here

Other things you can do

1. Change your password especially if it is weak password. Make sure it contains upper and lowercase characters as well as numbers and symbols.

2. If you are still using admin as the username update this.

3. Add anti-spam checks to wp-login – wordpress.org/extend/plugins/tags/captcha

4. Add two step authentication to login. wordpress.org/extend/plugins/tags/authenticator

If you have any questions please contact us.