Brute force attacks against WordPress sites

We talk a lot about the importance of using strong passwords, but sometimes it it hard to see how important it really is, or what can happen if we do not use a strong one. Most people only realize this after they have been compromised for the first time.

Lately we have been seeing many WordPress sites being attacked and hacked through the use of brute force. The administrator leaves the default “admin” user name and chooses a simple password, and never changes it.

Why is it bad that the password is easy and never changed?

There is a technique known as brute-force attack. Like the name implies, access is gained to your environment through brute force. Often conducted by bots, these attacks will run through a compiled list of common passwords and their permutations (i.e., password, Pa$$w0rd, p@ssw0rd, etc..). Yes, the attackers know that you substitute ‘A’ for an ‘@’ and ‘S’ for a ‘$’. Using this method the attackers are gaining access to your wp-admin, this then allows them to serve spam via your posts, deface your home page like we recently saw with ServerPro, and inject any one of the other types of malware roaming the interwebs.

Because of the consistency and prevalence of these attacks, we decided to test it for ourselves. We created a couple different honey pots with the intent of identifying the types of passwords being used, and to better understand the anatomy of these attacks. It didn’t take long. Within a few days, we had captured so much data that we had to share it with you.

Here is what we found…

Anatomy of the attack

Just in the last few days we detected more than 30 IP addresses trying to guess the admin password on our test WordPress sites (wp-login.php). Each one of those tried from 30 to 300 password combinations at each time. Sometimes they would mix that with a few spam comments as well. Example:

146.0.74.234 – 32 attempts
212.67.25.66 – 47 attempts
176.31.253.139 – 211 attempts
91.226.165.164 – 39 attempts
95.79.221.169 – 105 attempts
91.217.178.235 – 40 attempts

And many more IP addresses. We will adding all of them to our IP blacklist and Global Malware view.

Another interesting aspect of the attack is that it wasn’t in parallel, but each request had a 2 second delay from each other. Our theory is that the attackers are doing this to trick tools that look for this to avoid getting blocked, in essence, evading detection. This in turn is giving them free reign, allowing them to try continuously until they win.

Passwords attempted

On all the requests we logged, they only tried to guess the password for the user “admin”. Of the attacks we analyzed, these were the top ranking passwords in each attack:

administrator
admin123
admin
soccer
root
qwerty
q1w2e3
password1
password
pass
admin12
admin1
987654321
123456
12345
111111
000000
passwd

Every time, without fail, they tried these. Yes, we’re not making this up, these attacks each had this list of passwords in common. In addition to these, we saw a couple others such as the ones below:

user1
user
tigger
test123
test
system
sunshine
michelle
iloveu
friend
adminadmin
abc123
666666
654321
555555
444444
333333
222222
1234567890
123456789
12345678
1234
123
wordpress1
winner
webmaster1
webmaster
user1234567890
testtest
sex
service
server
rootroot
root123
p@ssword
private
home123
..

And many more.

The Take-Away

You might find yourself laughing, or rolling your eyes every time you hear a presentation about the importance of using strong passwords or updating your passwords. This is why though, it does not matter how often it’s talked about it, it’s still very prevalent, and the attackers know it. It’s why they are looking for it.

Here are things to consider:

  • Get rid of the default ‘admin’ user.
  • Use a password generator if possible.
  • Check with all the site contributors that have access to your admin panel, ensure they are using password generators.
  • Look at the permissions for each user, everyone does not need to be an admin.

Thought of the day: Web security begins with you!

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid