Recently, I red in my fellow hosting provider Superhosting.BG about global, worldwide bruteforce attack over a lot of WordPress blogs (post in Bulgarian).
I decided to quickly check what’s the actual attack activity and I installed the Limit Login Attempts WordPress plugin. What this plugin does is it logs all incorrect login attempts, and if they go above given treshold, it blocks the IP for a while and logs the blocking. After few blockings, it blocks the IP for a day or so.
This functionality, of course, immediately blocks any bruteforce attempts. What’s more interesting here though is the fact that it logs the attempts. That was more interesting for me, because it gave me a chance to evaluate the attack size. And here’s what I’ve got, just for 2 days:
|IP||Tried to log in as|
|18.104.22.168||admin (8 lockouts)||22.214.171.124||admin (8 lockouts)|
|126.96.36.199||admin (2 lockouts)|
|188.8.131.52||admin (1 lockout)|
|184.108.40.206||Bymnacculnela (2 lockouts)|
|220.127.116.11||admin (1 lockout)|
|18.104.22.168||admin (1 lockout)|
|22.214.171.124||admin (1 lockout)|
|126.96.36.199||admin (1 lockout)|
|188.8.131.52||admin (1 lockout)|
|184.108.40.206||Admin (1 lockout)|
|220.127.116.11||admin (1 lockout)|
Obviously, there was some “unhealthy” interest. But I never expected that the scale would be that big. And they were all shooting for “the big fella”, the “admin” account.
So it was time to change the admin username. Obviously, the success factor of the attack is based on the fact that WordPress comes with default “admin” username. If I change the username to something else, the attack would never succeed, even if it by some crazy stupid chance succeeds to get my password right (12+ symbols password). It was pretty quick change, although I had to play with the database directly (I’m almost sure there’s a plugin to do the job as well).
Now all seems safe. My wordpress applications locked my account twice, until I realized that I have to change the username there too, but that was the only harm so far.
So, if you’re managing WordPress blog, I urgently advise you to install Limit Login Attempts and change your admin user password (if you have only one admin user, if you have many, you have to live with the plugin only). Otherwise, you’re pretty much exposed to (some) risk, especially if you have easily guessable WordPress admin password.