Brute force attacks against WordPress sites

  • March 15, 2012

We talk a lot about the importance of using strong passwords, but sometimes it it hard to see how important it really is, or what can happen if we do not use a strong one. Most people only realize this after they have been compromised for the first time.

Lately we have been seeing many WordPress sites being attacked and hacked through the use of brute force. The administrator leaves the default “admin” user name and chooses a simple password, and never changes it.

Why is it bad that the password is easy and never changed?

There is a technique known as brute-force attack. Like the name implies, access is gained to your environment through brute force. Often conducted by bots, these attacks will run through a compiled list of common passwords and their permutations (i.e., password, Pa$$w0rd, p@ssw0rd, etc..). Yes, the attackers know that you substitute ‘A’ for an ‘@’ and ‘S’ for a ‘$’. Using this method the attackers are gaining access to your wp-admin, this then allows them to serve spam via your posts, deface your home page like we recently saw with ServerPro, and inject any one of the other types of malware roaming the interwebs.

Because of the consistency and prevalence of these attacks, we decided to test it for ourselves. We created a couple different honey pots with the intent of identifying the types of passwords being used, and to better understand the anatomy of these attacks. It didn’t take long. Within a few days, we had captured so much data that we had to share it with you.

Here is what we found…

Anatomy of the attack

Just in the last few days we detected more than 30 IP addresses trying to guess the admin password on our test WordPress sites (wp-login.php). Each one of those tried from 30 to 300 password combinations at each time. Sometimes they would mix that with a few spam comments as well. Example:

146.0.74.234 – 32 attempts
212.67.25.66 – 47 attempts
176.31.253.139 – 211 attempts
91.226.165.164 – 39 attempts
95.79.221.169 – 105 attempts
91.217.178.235 – 40 attempts

And many more IP addresses. We will adding all of them to our IP blacklist and Global Malware view.

Another interesting aspect of the attack is that it wasn’t in parallel, but each request had a 2 second delay from each other. Our theory is that the attackers are doing this to trick tools that look for this to avoid getting blocked, in essence, evading detection. This in turn is giving them free reign, allowing them to try continuously until they win.

Passwords attempted

On all the requests we logged, they only tried to guess the password for the user “admin”. Of the attacks we analyzed, these were the top ranking passwords in each attack:

administrator
admin123
admin
soccer
root
qwerty
q1w2e3
password1
password
pass
admin12
admin1
987654321
123456
12345
111111
000000
passwd

Every time, without fail, they tried these. Yes, we’re not making this up, these attacks each had this list of passwords in common. In addition to these, we saw a couple others such as the ones below:

user1
user
tigger
test123
test
system
sunshine
michelle
iloveu
friend
adminadmin
abc123
666666
654321
555555
444444
333333
222222
1234567890
123456789
12345678
1234
123
wordpress1
winner
webmaster1
webmaster
user1234567890
testtest
sex
service
server
rootroot
root123
p@ssword
private
home123
..

And many more.

The Take-Away

You might find yourself laughing, or rolling your eyes every time you hear a presentation about the importance of using strong passwords or updating your passwords. This is why though, it does not matter how often it’s talked about it, it’s still very prevalent, and the attackers know it. It’s why they are looking for it.

Here are things to consider:

  • Get rid of the default ‘admin’ user.
  • Use a password generator if possible.
  • Check with all the site contributors that have access to your admin panel, ensure they are using password generators.
  • Look at the permissions for each user, everyone does not need to be an admin.

Thought of the day: Web security begins with you!

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Related Tags
22 comments
  3. Pingback: A Closer Look At Brute Force Attacks Against WP Sites

  4. I manage around 70 WP websites and I have found 4 this year that were hacked. Every single one that was hacked was due to a poor password. I always tell people, if you can remember it, it probably isn’t strong enough! The first thing this hacker did in each case was install 2 plugins. These plugins modified all the index.php files and from that point…well, you can imagine.

    I am in the process of creating a WP plugin that notifies me when ever a new plugin is activated. I am hoping that will at least let me know before the site gets indexed as a malware site.

  5. Pingback: Defying Brute Force Attacks on WordPress Logins « Lorelle on WordPress

  6. My site was hacked 3 days ago.. Still trying to fix it.. even my WP Admin area is hacked.. Can’t un install plugins or anything… Anyone able to help me with this?  I’ve check through the index.php and a few other places and can’t find anything..  My site gets redirected to a Drugstore!! 

    1. Can you restore the database from a backup using PHP admin? or ask your hosting service to do so from one of their site backups.

      1. Being new to building  site.. i do not have a back up.. Now i know to do so.  I use siteground and they have been working on it since yesterday.  I looked and problem is in my .htaccess  file.  They fixed it and my site was good for 2 minutes then back to being redirected..  Also In my WordPress Admin panel, I can not even hit some links like “plugins” due to it will redirect from there.   I am hoping for the best…Everything is updated. i’ve changed all passwords for everything as well..

  8. How are you logging the IP addresses for failed logins? And once you have a black list of IPs – how would you restrict them to the login page?
    Noob questions!

  9. Pingback: DVWA Vulnerability: Brute Force

  11.  

    hi,good job,was intresting and helpful for us,thanks for giving such an useful information.

  12. Pingback: Så attackerar hackaren din WordPress-blogg | Binero blogg

  13. Very interesting, I’ve recently had three brute force attacks from the same IP according to the logs.

    How did you discover what passwords were being used during each attempt? 

  14. Pingback: WordPress Security Tip: Do This Now! – Part 2 | I'm Not Marvin
  16. Pingback: Change your admin user in Wordpress - One Day Website
  17. Pingback: Working On Your Website – Delete That Admin Account! » Vita Images

  18. today, my wordpress web w7cloud.com is also effected with this attack, it also damage the database now i cant do any posting on wordpress. any one have idea how i can recover my database.

  19. because i live in holland i can use this trik
    [code]

    $io = strip_tags(addslashes(htmlspecialchars($_SERVER[“REMOTE_ADDR”])));
    $host = gethostbyaddr($_SERVER[‘REMOTE_ADDR’]);
    $land = substr(strrchr($host, “.”), 1);
    if ($land != “nl”) {exit; }
    [/code]

    and the last one i put in htaccess code 😉

    deny from 146.0.74.234

  20. Pingback: Dissecting a WordPress Brute Force Attack | Sucuri Blog

Comments are closed.

Related Categories
You May Also Like