17 Nov 18, 2014
About a year ago, I developed a WordPress extension called WP Login Attempt Log. All it does is log every incorrect login attempt to your WordPress page and display some graphics and a way to search the logs. It logs the username, the password, the IP address and also the user agent, e.g. the browser version.
Observation number 1: attacks come and go
One thing that is striking about this graph is how much the number of attacks differ per day. Some day I will get tens of thousands of attempts, on other days I will get under 100. On average, though, I get about 2200 attempts per day, 15,000 per week and 60,000 per month. It suggests that my site is part of a rotation, or maybe that someone really wants to hack my blog on mondays.
Observation number 2: passwords are tried multiple times
All in all, there’s about 36,000 unique passwords that have been used to brute-force my WordPress blog. From the total number of around 360,000 attacks, each password must is used on average of 10 times. But of course, some are used more than others, as you can see in the table below.
What’s interesting is that there’s not a larger amount of different passwords. From the large password database leaks the past few years – we’re talking tens of millions – one could expect the amount of different passwords more closely matching the number of total attempts.
Of course, there might also just be 10 different people out to hack my blog, and they all have the same password list. :-)
Observation number 3: the most common password is “admin”
An empty password was tried around 5,300 times. Here’s a list of the most used passwords, along with how many times they were used:
This is not a list of recommended passwords. :-) Definitely don’t use any of those.
Observation number 4: 100 IP addresses account for 83% of the attempts
The top 1 IP address that have tried hacking my blog, 18.104.22.168, originates from a location you wouldn’t suspect: Amazon. That IP has tried to attack my blog a whopping 45,000 times, 4 times that of the second IP on the list.
I took the top 25 offenders and did a WHOIS on them. I guess if you’re looking for a server company to do your WordPress hacking, here you go:
|Attempts||IP Address||ISP||Country Code|
|10425||22.214.171.124||Green Web Samaneh Novin Co||IR|
|10048||126.96.36.199||Webfusion Internet Solutions||GB|
|10040||188.8.131.52||Hetzner Online AG||DE|
|10040||184.108.40.206||Kaunas University of Technology||LT|
|10036||220.127.116.11||012 Smile Communications||IL|
|10035||18.104.22.168||Private Joint Stock Company datagroup||UA|
|10030||22.214.171.124||Joint Stock Company TYVASVIAZINFORM||RU|
|10029||126.96.36.199||Amt Services srl||IT|
|9327||188.8.131.52||Inetmar internet Hizmetleri San. Tic. Ltd. Sti||TR|
|9208||184.108.40.206||TIME dotCom Berhad||MY|
|8201||220.127.116.11||INTERWERK – Rotorfly Europa GmbH & Co. KG||DE|
|6952||18.104.22.168||velia.net INternetdienste GmbH||DE|
|3202||22.214.171.124||Hetzner Online AG||DE|
Another interesting thing about this is is the amount of IPs hovering at around 10,000 attempts. It seems like there’s a limit where the attacker gave up, moved on to the next target. Maybe all these are a part of a single botnet, and each machine in it is only allowed to attack 10,000 times. Who knows.
Observation number 5: protect yourself by using an unique username
WordPress hackers are really sure that you’ll use a pretty standard username, or at least something to do with the name of your blog. A total of just 165 different usernames were tried, compared to the tens of thousands of passwords.
Therefore my final takeaway is to choose an obscure username as well as an obscure password. There’s only 11 usernames that have been used more than a hundred times. This was kind of surprising to me.
That’s a lotta attacks, what do I have to fear?
WordPress blogs is one of the most targeted platforms for hackers, many sites use it, from big news organisations to small blogs like this one. If someone can get a login and start fiddling with your links, they can boost traffic to their own viagra peddling sites.
But, as long as you keep your software updated (WordPress makes this very, very easy) and keep the following two rules in mind, you’re totally safe.
Bottom line: Set a lengthy password consisting of random characters, letters and digits, and use a username that’s not a part of your name, site URL or “admin”. Maybe just use some random letters, your password manager will remember it after all.
If you do those two things, there’s nothing to worry about.
If you have your own take on this data, or think I’ve misinterpreted something, feel free to leave a comment below or on Hacker News – I’d love to hear your thoughts.