Here Are What Malicious WordPress Login Attempts Actually Look Like

Recently we discussed how the WordPress security company Wordfence continues to spread the falsehood that there are a lot brute force attacks on WordPress admin passwords (and then promotes that their plugin is the solution to the problem). An actual brute force attack would involve billions or more attempts and Wordfence’s data showed only millions attempts a day over 100,000s of websites, so 10s of attempts per website. What they actual look to be seeing are dictionary attacks, which involve an attacker trying to log in with common passwords.

The distinction is important because to protect against those all you need to do is use a strong password and you don’t need to install any plugins or continually monitor for failed login attempts (as lot of people are doing due to being mislead about what is going on). We also have have found that people will sometimes get very concerned that they have been hacked when warned by plugins that brute force attacks are going on, but when we explain to them what is actually going on that concern is cleared up because they are already using a strong password.

We thought it would be helpful to show what a couple of these dictionary attacks look like and to see how WordPress’ password strength indicator would rate the passwords tried.

The main portion of our website is powered by Drupal (this blog is powered by WordPress), despite that, we regularly have attempts to login to the main portion of our website as if it was running WordPress through attempts sent to https://www.whitefirdesign.com/wp-login.php. The fact that is happening is reminder that much of the malicious attempts against websites are incredibly crude and that the success rate of hacking attempts is incredibly small. We have been logging login attempts though that for some time and here a couple of recent sets that shows what kind of login attempts are actually going on.

For password strength, we tested it through this blog, running WordPress 4.7, so the relevant domain name was being used to calculate the rating.

The first involves 21 attempts from a Tunisian IP address, where username “admin” was used alongside the following passwords (the password strength is listed in parenthesis):

  • admin (Very weak)
  • demo (Very weak)
  • admin123 (Very weak)
  • 123456 (Very weak)
  • 123456789 (Very weak)
  • 123 (Very weak)
  • 1234 (Very weak)
  • 12345 (Very weak)
  • 1234567 (Very weak)
  • 12345678 (Very weak)
  • 123456789 (Very weak)
  • admin1234 (Very weak)
  • admin123456 (Very weak)
  • pass123 (Very weak)
  • root (Very weak)
  • 321321 (Very weak)
  • 123123 (Very weak)
  • 112233 (Very weak)
  • 102030 (Very weak)
  • password (Very weak)
  • pass (Very weak)

The second involved 52 attempts from IP address in China. Along side the username “admin” the following passwords were tried:

  • admin (Very weak)
  • admin000 (Very weak)
  • admin123 (Very weak)
  • admin000 (Very weak)
  • admin888 (Very weak)
  • admin@ (Very weak)
  • 123admin (Very weak)
  • www_whitefirdesign_com (Weak)
  • www.whitefirdesign.com (Weak)
  • whitefirdesign.com (Very weak)
  • whitefirdesign (Very weak)
  • www-whitefirdesign-com (Weak)
  • wwwwhitefirdesigncom (Weak)
  • adminadmin (Very weak)
  • 123456 (Very weak)
  • adminpassword (Very weak)
  • 12345 (Very weak)
  • 12345678 (Very weak)
  • qwerty (Very weak)
  • 1234567890 (Very weak)
  • 1234 (Very weak)
  • baseball (Very weak)
  • dragon (Very weak)
  • football (Very weak)
  • 1234567 (Very weak)
  • monkey (Very weak)
  • letmein (Very weak)
  • abc123 (Very weak)
  • 111111 (Very weak)
  • mustang (Very weak)
  • access (Very weak)
  • shadow (Very weak)
  • master (Very weak)
  • michael (Very weak)
  • superman (Very weak)
  • 696969 (Very weak)
  • 123123 (Very weak)
  • batman (Very weak)
  • trustno1 (Very weak)

After those they tried logging in with the username “whitefirdesign” and the following passwords:

  • whitefirdesign (Very weak)
  • whitefirdesign000 (Very weak)
  • whitefirdesign123 (Very weak)
  • whitefirdesign000 (Very weak)
  • whitefirdesign888 (Very weak)
  • whitefirdesign@ (Very weak)
  • 123whitefirdesign (Very weak)
  • www_whitefirdesign_com (Weak)
  • www.whitefirdesign.com (Weak)
  • whitefirdesign.com (Very weak)
  • whitefirdesign (Very weak)
  • www-whitefirdesign-com (Weak)
  • wwwwhitefirdesigncom (Weak)

Of the 73 passwords tried (including those used multiple times), 65 of the them were rated as “Very Weak” by WordPress’ password strength indicator and the other 8 were rated as “Weak” (all of the “Weak” ones used some variation of the domain name in them). So WordPress password strength indicator looks to be doing a good job of helping people to pick strong passwords that would not be guessed in a dictionary attack.

Related posts:

  1. Using a Common Password Doesn’t Welcome a Brute Force Attack
  2. Wordfence Continues To Peddle False Claim of Brute Force Attacks To Push Plugin That Doesn’t Protect Against Real Threat
  3. Hiding the WordPress Version Number Will Not Make Your Website More Secure
  4. WordPress Giving Legitimacy to SiteLock By Allowing Them to Sponsor and Attend WordCamps

Leave a Reply

Your email address will not be published.