WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#24647 closed defect (bug) (invalid)

WordPress login page falls into HTTP 406 Not Acceptable error after a few clicks

Reported by: Ricardo2013 Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.5.2
Component: General Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

At first I thought this was just my own site, but then I tested a dummy site within the same web hosting account and finally a random WordPress site on the web.

This problem is very easy to reproduce. Simply go to wp-login.php and instead of logging in, click on the register link or on the "Lost your password?" link and the quickly press the back button to return to the login page. Repeat going to the register or lost password pages and returning to the login page several times, until you get the

HTTP 406 Not Acceptable error

This cripples the login mechanism for a few minutes at least. Excellent for a denial of service attack using only one computer.

Change History (12)

#1 @SergeyBiryukov
7 years ago

  • Description modified (diff)
  • Summary changed from Wordpress login page falls into HTTP 406 Not Acceptable error after a few clicks to WordPress login page falls into HTTP 406 Not Acceptable error after a few clicks

#2 @SergeyBiryukov
7 years ago

Could not reproduce on any of my installs. This sounds specific to a particular hosting provider.

#3 @Ricardo2013
7 years ago

Ok, I can reproduce it at my own site, and at

www.riversend.net.au
emanuelandthetruthaboutfishes.com

Wordpress.com sites are not vulnerable to this problem.

This is not about a particular hosting provider I think, but a particular configuration, quite common as I see it.

#4 @Ricardo2013
7 years ago

I'd appreciate it if you could give me an example where it does not happen.

#5 @markoheijnen
7 years ago

You can try out http://vps7751.xlshosting.net/. No issues at all.

It must be a server configuration. Maybe software that detects DDOS attacks. I have no clue but doubt it is a WordPress issue.

#6 @Ricardo2013
7 years ago

Yes, not all sites have issues. This error is generated by the Apache web server. It is not directly a WordPress issue. However, it would be useful if the development team looked into it because it affects some server configurations.

Thanks for the feedback.

#7 @markoheijnen
7 years ago

At this moment we can't look into this since you didn't give us any information about server configuration. It seems like htaccess or a plugin causing this since it only happens on the login pages and not on random site images. Also do you use any security plugins? Maybe that trickers the issue.

Also I have tested this on Apache without any issues.

#8 @SergeyBiryukov
7 years ago

  • Keywords reporter-feedback added; needs-patch removed

#9 @Ricardo2013
7 years ago

This is not a plugin, because it happens on both my main site and on a dummy site in which I have removed all plugins. Besides, when I blow up the dummy site, my main site also crashes on this (the login page becomes inaccessible), and both sites are on different directories and on different WordPress installations.

I have also given you 2 other sites on the web that suffer from this problem.

I have contacted my web host and if anything relevant to all users comes up, I will update this ticket.

Last edited 7 years ago by Ricardo2013 (previous) (diff)

#10 @Ricardo2013
7 years ago

It seems that the issue has been finally solved. My web hosting service told me that only the offending IP is blocked in this way. I had tried before to test for this but I didn't made it under strict measures. Now I made the test again making sure I was accessing the site (after the induced "crash") from a different IP; I could confirm the login page had no problems.

Thanks a lot.

#11 @markoheijnen
7 years ago

  • Keywords reporter-feedback removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

#12 @Ricardo2013
7 years ago

  • Cc rflores@… removed
Note: See TracTickets for help on using tickets.