Mass WordPress Brute Force Attacks? – Myth or Reality

We are seeing in the media some noise about a large distributed brute force attacks against all hosts targeting WordPress sites. According to reports, they are seeing a large botnet with more than 90,000 servers attempting to log in by cycling different usernames and passwords against the WordPress access points: /wp-login.php and /wp-admin.

This got us thinking, well we block a lot of attacks why not look at the logs to see what they tell us. So we did.

The Data

Looking back, we can see in our historical database the following:

2012/Dec: 678,519 login attempts blocked

2013/Jan: 1,252,308 login attempts blocked (40k per day)

2013/Feb: 1,034,323 login attempts blocked (36k per day)

2013/Mar: 950,389 login attempts blocked (31k per day)

2013/Apr: 774,104 for the first 10 days – 77,410 per day

As you can see from our numbers, we were seeing 30 to 40 thousand attacks per day the last few months. In April 2013, it increased to 77,000 per day on average, reaching more than 100,000 attempts per day in the last few days.

That means that the number of brute force attempts more than tripled. This sharp increase would lead us to believe that there is some reality to these reports.

Diving deeper into our data we find a few interesting data points. For instance, we can see the top user names being attempted:

652911 [log] => admin
10173 [log] => test
8992 [log] => administrator
8921 [log] => Admin
2495 [log] => root

In these cases, by the shear fact of having a non- admin / administrator / root usernames you are automatically out of the running. Which is kind of nice actually.

FYI, the number value next to the [log] is the number of sites. So the first line item, admin, was used against some 652,911 sites.

As far passwords, this is what we’re seeing:

16798 [pwd] => admin
10880 [pwd] => 123456
9727 [pwd] => 666666
9106 [pwd] => 111111
7882 [pwd] => 12345678
7717 [pwd] => qwerty
7295 [pwd] => 1234567
6160 [pwd] => #@F#GBH$R^JNEBSRVWRVW
5640 [pwd] => password
5446 [pwd] => 12345
5392 [pwd] => $#GBERBSTGBR%GSERHBSR
5058 [pwd] => %G#GBAEGBW%HBFGBFXGB
5024 [pwd] => RGA%BT%HBSERGAEEAHAEH
4861 [pwd] => aethAEHBAEGBAEGEE%
4317 [pwd] => 123
4281 [pwd] => 123qwe
4133 [pwd] => 123admin
4092 [pwd] => 12345qwe
4086 [pwd] => 12369874
3880 [pwd] => 123123
3831 [pwd] => 1234qwer
3814 [pwd] => 1234abcd
3787 [pwd] => 123654
3751 [pwd] => 123qwe123qwe
3744 [pwd] => 123abc
3623 [pwd] => 123qweasd
3606 [pwd] => 123abc123
3422 [pwd] => 12345qwert

Most of these should be expected actually, it’s only what we’ve been reporting for a while.

What does stand out are these:

6160 [pwd] => #@F#GBH$R^JNEBSRVWRVW
5392 [pwd] => $#GBERBSTGBR%GSERHBSR
5058 [pwd] => %G#GBAEGBW%HBFGBFXGB
5024 [pwd] => RGA%BT%HBSERGAEEAHAEH
4861 [pwd] => aethAEHBAEGBAEGEE%

Looking at some of our resources we have found these across a few wordlists which sounds very odd. The most obvious argument is, well crud, they are just randomly generated, right? But then you look at the number of sites it was tried against, that’s where it doesn’t make sense.

Almost feels like we’re missing something that they know.. hummmm.. then again it could be over thinking and we should just be glad they are blocked.

Top Scanner IP

Here is a bit more information for those managing their own servers and hosts. Here are the top 30 malicious IP addresses being used in the various attacks:

#number of attempts – IP Address
41315 31.184.238.38
10004 178.151.216.53
9817 91.224.160.143
8773 195.128.126.6
6838 85.114.133.118
6624 177.125.184.8
5896 89.233.216.203
5534 89.233.216.209
5469 109.230.246.37
5364 188.175.122.21
5110 46.119.127.1
4485 176.57.216.198
4205 173.38.155.22
4114 67.229.59.202
3956 94.242.237.101
3460 209.73.151.64
3443 212.175.14.114
3294 78.154.105.23
3162 50.116.27.19
3054 195.128.126.114
2740 78.153.216.56
2732 31.202.217.135
2661 204.93.60.182
2520 173.38.155.8
2371 204.93.60.75
2303 50.117.59.3
2301 209.73.151.229
2287 216.172.147.251
2234 204.93.60.57
2227 94.199.51.7
2215 204.93.60.185

Should you be concerned?

Depends, what have you implemented to protect yourself against these attacks? The thing to understand about these attacks is that they play on the biggest WordPress vulnerability, you, the end-user. You have to be doing your part, specifically when leveraging good passwords.

If you aren’t, then yes, we’d say it’s worth being a bit concerned about. Especially if any of the data above looks familiar. Some things to consider looking at include solutions like a web application firewall (WAF) similar to our CloudProxy product or ModSecurity to block these attacks before they reach your site / server resources.

Read more: Mass WordPress Brute Force Attacks? – Myth or Reality

Story added 12. April 2013, content source with full text you can find at link above.