Yesterday afternoon I started getting emails from the Limit Login Attempts plugin over at another WordPress blog I run. It’s a great addition to any self-hosted WordPress installation; it does as the name implies, blocks repeated login attempts to your wp-login.php area. There’s some additional best practices in this article in the WordPress Codex.
After looking at the failed login attempts (these from Amsterdam) I decided to look at how many attempts were being made per day in total, and the numbers were much higher than I expected (especially since that blog is relatively low traffic), almost 4,000 attempts in the last two days with about 1,500 from the host that was just blocked.
For grins, I decided to pull the access_logs from last year to see how many attempts were being made per month:
Comparing the number of login attempts (minus any of my IP addresses) is actually much greater than the actual page views on that site with September being a red letter month. In looking at the access logs, there are no HTTP_REFERERS, no links followed. Just direct form POSTs being made so it looks like I’m in a list somewhere.
The Limit Logins Plugin I mentioned keeps detailed logs of where, the username they tried using and the number of times they’ve been blocked. As you can see from this arbitrary bit of logs, the ‘admin’ username is the preferred vector of attack:
Once your site has been identified as being a WordPress site, expect the same from the script kiddies, and of course, rename the admin account folks. I may play around with the data and see what other interesting statistics can be pulled from it.