Brute force attacks against WordPress sites
We talk a lot about the importance of using strong passwords, but sometimes it it hard to see how important it really is, or what can happen if we do not use a strong one. Most people only realize this after they have been compromised for the first time.
Lately we have been seeing many WordPress sites being attacked and hacked through the use of brute force. The administrator leaves the default “admin” user name and chooses a simple password, and never changes it.
Why is it bad that the password is easy and never changed?
There is a technique known as brute-force attack. Like the name implies, access is gained to your environment through brute force. Often conducted by bots, these attacks will run through a compiled list of common passwords and their permutations (i.e., password, Pa$$w0rd, p@ssw0rd, etc..). Yes, the attackers know that you substitute ‘A’ for an ‘@’ and ‘S’ for a ‘$’. Using this method the attackers are gaining access to your wp-admin, this then allows them to serve spam via your posts, deface your home page like we recently saw with ServerPro, and inject any one of the other types of malware roaming the interwebs.
Because of the consistency and prevalence of these attacks, we decided to test it for ourselves. We created a couple different honey pots with the intent of identifying the types of passwords being used, and to better understand the anatomy of these attacks. It didn’t take long. Within a few days, we had captured so much data that we had to share it with you.
Here is what we found…
Anatomy of the attack
Just in the last few days we detected more than 30 IP addresses trying to guess the admin password on our test WordPress sites (wp-login.php). Each one of those tried from 30 to 300 password combinations at each time. Sometimes they would mix that with a few spam comments as well. Example:
18.104.22.168 – 32 attempts
22.214.171.124 – 47 attempts
126.96.36.199 – 211 attempts
188.8.131.52 – 39 attempts
184.108.40.206 – 105 attempts
220.127.116.11 – 40 attempts
Another interesting aspect of the attack is that it wasn’t in parallel, but each request had a 2 second delay from each other. Our theory is that the attackers are doing this to trick tools that look for this to avoid getting blocked, in essence, evading detection. This in turn is giving them free reign, allowing them to try continuously until they win.
On all the requests we logged, they only tried to guess the password for the user “admin”. Of the attacks we analyzed, these were the top ranking passwords in each attack:
Every time, without fail, they tried these. Yes, we’re not making this up, these attacks each had this list of passwords in common. In addition to these, we saw a couple others such as the ones below:
And many more.
You might find yourself laughing, or rolling your eyes every time you hear a presentation about the importance of using strong passwords or updating your passwords. This is why though, it does not matter how often it’s talked about it, it’s still very prevalent, and the attackers know it. It’s why they are looking for it.
Here are things to consider:
- Get rid of the default ‘admin’ user.
- Use a password generator if possible.
- Check with all the site contributors that have access to your admin panel, ensure they are using password generators.
- Look at the permissions for each user, everyone does not need to be an admin.
Thought of the day: Web security begins with you!