WordPress Bruteforce Attack

wp_bruteforceHaving some fun documenting what the bad guys are  up too…
Lately I’ve been hit by quite a few brute force attack against on a couple of WordPress installations, nothing new, this has circling  the media for quite some time, and I really don’t feel like I’m being targeted.. I’m just a poor sole that shows up in a Google search running a wp install…

So since the automatic attack tries to do a _POST to wp-login.php on the  root, I basically just changed my wp-login.php to generate  a log file with the content they where trying to login in with.

Here are some numbers.

Number of hits: 5063
Number of uniq ip: 1391
Top username: admin / adminstrator
Top password: irving / capetown (12 hits and 10 hits)

This was recorded between 11m on 16th of May, until the 03am on the 22th of may.

Somehow I’ve got quite a few hits with empty username (1383), no sure why because they are sending a password.
A fault in there automatic attack? Other interesting information, if you do not have an account with the name “admin“, “adminstrator” or “adminadmin” your pretty safe, it looks like these are the only account names they are trying… And for the passwords.. it looks like a dictionary attack, and with little  complexity added. An average of 6,1 charc pr password, and the longest one with 12 char. Two password with special characters “ko#>|7Sz” and “p@assword” all other are lowercase and/or with numbers or normal English characters.

For anyone interested, here are the complete dump file (data is still being generated)

 

Leave a Comments