I suppose I could layout the entire email chain that went down yesterday that actually started Thursday night.
Suffice it to say, for those who aren’t aware there is currently a brute force attack against any and all WordPress websites. Overall this is not the most difficult thing to spot, most of the logins all use the same user name and overall they’re just not that intelligent. Evidently my current provider, My Hosting, was getting slammed and quite hard. In an effort to head the problem off at the pass they edited everyone’s .htaccess files to restrict access to the WordPress login page. This wouldn’t be a problem except they had a default deny so site owners were locked out. Most definitely that’s not Shiny.
The last email I got in the exchange as I was trying to fix the issues is here, along with additional comments.
Wrong Words My Corrections in Phrasing.
My mental commentary while reading.
Thank you for your patience and we are sorry that you are having an unhappy experience with myhosting.com. Because evidently the idea someone would be unhappy about being locked out of their own website surprises us.
Because 90% of our customers are not using Cloudflare for protection or wordpress plugins to stop unwanted access, we implemented this access restrictdecided to treat all our users like idiotic children that know nothing about anything. Luckily I have experience with being penalized because of the actions of the few.
Because you appear to have a very secure webspaceactually know what the fuck you’re doing and have previously educated our support staff, you would most likely to be safe removing the lines that have been added, but this makes your wordpress website vulnerable to this attacka brute force attack where they just randomly try passwords, so please proceed with caution and make sure all wordpress user passwords are complex and secure. Why in the name of god do you think I use keypass and generate 20 character password strings, just for the ease in memorization?
We have disabled the .htaccess files on those two websites and they appear to be loading currently, but we broke clean URLs so they’re still not working right, our bad? If you would like, remove all the added code and turn your cloudflare back on. You mean I can unfuck my websites if I so choose!? Here I thought you guys were just out to screw me in front of people I support. And yes I unfucked every one I could as fast as I could, even before I got your permission!
Please let it be known we are trying to protect our customers the best possible way, by nuking the site from orbit by treating our customers like children and blocking their access to their own sites just the same as the attackers. Because of the urgency of the matter, this was the quickest solution, because we were dumb and too lazy to implement deep packet inspection and notice that the brute force attempts always use the same username, admin. We hope this does not ruinare sorry this has completely ruined your experience with myhosting.com. We didn’t consider the ramifications of how our actions could possible make our customers look in the eyes of their own clients. We will think about possibly not treating all our customers like children in the future but don’t count on it.
The same support guy I’ve been dealing with all day. +1 for that.
That final email just kind of shoved me over the edge with absolutely not wanting to stick around. Seriously, that’s pretty much how I read when it came in. I didn’t discover the .htaccess issue with clean URLs being totaled until this morning when Sean emailed me.
Seriously +1 to them on ownership for support. Other than this recent shit storm they’ve been a decent host but I’m biting the bullet and going to a VPS. Because of my love for Microsoft Exchange I’ll be getting a separate host for email just for the wife and I but at this point I’m downloading sites one by one and moving them to the VPS when possible.
This site will be the first to move and will hopefully be done by early in the evening. I still need to finish securing the VPS and doing other setup work.