In early August we noticed a brute-force attack that was targeting our login form.

The attackers were targeting 6 specific Spin Rewriter accounts, and they were sending us hundreds of login attempts per minute that were coming in from a variety of different IP addresses.

These login attempts were trying what appeared to be a set of predetermined passwords (we have no way of knowing the exact passwords that were used in the attack because we always hash the passwords before storing them, like every web service should).

So, first the good news: None of the accounts were compromised. The attackers gave up after a couple of hours, after getting nowhere.

And the even better news: In light of this, we've taken another look at our login system and the code that powers it. We are extremely satisfied with how well it has done, and we've now also tweaked a few parameters to make the login system even more secure, out of an abundance of caution.

Without revealing too much (this information could help guide potential attackers in any future attacks), our login system remains truly state-of-the-art, following all modern security standards, now also including rate-limiting after a set number of failed login attempts in a certain time frame, and so on.

So you can rest assured that your Spin Rewriter account (and all of your articles and other information inside of it) is safe and waiting for you — and you only.

Previous blog post: Our WordPress Plugin - updated!

Next blog post: Our blog has a new home!