WordPress login page falls into HTTP 406 Not Acceptable error after a few clicks

[Ricardo2013]

At first I thought this was just my own site, but then I tested a dummy site within the same web hosting account and finally a random WordPress site on the web.

This problem is very easy to reproduce. Simply go to wp-login.php and instead of logging in, click on the register link or on the "Lost your password?" link and the quickly press the back button to return to the login page. Repeat going to the register or lost password pages and returning to the login page several times, until you get the

HTTP 406 Not Acceptable error

This cripples the login mechanism for a few minutes at least. Excellent for a denial of service attack using only one computer.

[SergeyBiryukov]

Could not reproduce on any of my installs. This sounds specific to a particular hosting provider.

[Ricardo2013]

Ok, I can reproduce it at my own site, and at

www.riversend.net.au
emanuelandthetruthaboutfishes.com

Wordpress.com sites are not vulnerable to this problem.

This is not about a particular hosting provider I think, but a particular configuration, quite common as I see it.

[Ricardo2013]

I'd appreciate it if you could give me an example where it does not happen.

[markoheijnen]

You can try out ​http://vps7751.xlshosting.net/. No issues at all.

It must be a server configuration. Maybe software that detects DDOS attacks. I have no clue but doubt it is a WordPress issue.

[Ricardo2013]

Yes, not all sites have issues. This error is generated by the Apache web server. It is not directly a WordPress issue. However, it would be useful if the development team looked into it because it affects some server configurations.

Thanks for the feedback.

[markoheijnen]

At this moment we can't look into this since you didn't give us any information about server configuration. It seems like htaccess or a plugin causing this since it only happens on the login pages and not on random site images. Also do you use any security plugins? Maybe that trickers the issue.

Also I have tested this on Apache without any issues.

[Ricardo2013]

This is not a plugin, because it happens on both my main site and on a dummy site in which I have removed all plugins. Besides, when I blow up the dummy site, my main site also crashes on this (the login page becomes inaccessible), and both sites are on different directories and on different WordPress installations.

I have also given you 2 other sites on the web that suffer from this problem.

I have contacted my web host and if anything relevant to all users comes up, I will update this ticket.

[Ricardo2013]

It seems that the issue has been finally solved. My web hosting service told me that only the offending IP is blocked in this way. I had tried before to test for this but I didn't made it under strict measures. Now I made the test again making sure I was accessing the site (after the induced "crash") from a different IP; I could confirm the login page had no problems.

Thanks a lot.