[wp-hackers] Admin Login Brute Force Attacks

Alex Rayan alexrayan69 at gmail.com
Wed Mar 20 18:54:56 UTC 2013

Hi Chris,

I'm also managing dozens of Wordpress instances and have "limit login
attempts" installed on most of these sites. I also disabled the error
message that is displayed on incorrect username / password attempt by
default since this message shows specifically what (username or password)
was incorrect.
With that disabled brute force attacks are pretty useless with a strong
username / password combination so one wouldn't need to worry about that.
I also have "Activity Monitor" plugin installed that allows you to monitor
selectively what activity happened in the backend including login attempts
with incorrect passwords and usernames tried.
Most of the logs of Activity Monitor show that the first and only username
tried in brute force attacks is "admin". And since the error message for
incorrect login is disabled, there is no way for the code to know that
"admin" username doesn't exist, so the code usually keeps trying to "guess"
the password for the username "admin".
In short, brute force attacks is a common occurrence, but by disabling the
error message we could significantly limit the possibility of "guessing"
the right username / password combination.

Best regards,

On Wed, Mar 20, 2013 at 2:19 PM, Chris Williams <chris at clwill.com> wrote:

> I have about a dozen WP sites that I manage, and recently experienced a
> break-in on many of them.  After a bunch of work I located all the hacked
> files (virtually every index.php, header.php, footer.php, and functions.php
> they could find) along with some cute additions to wp-includes, and cleaned
> up the sites.  Was annoying, especially since the attack got the sites
> listed on AVG's threat labs for 30 days.  Ugh...  But that's behind me.
> I rigorously keep them up to date (see other thread) in all but one case
> where updates are prevented by dependencies.  Nonetheless, the sites are
> under constant attack (lately from one especially tenacious IP address in
> Russia) attempting brute force attacks on the admin account.  I believe
> this is how access was gained.  Since this attack I have:
>  *   Removed the "admin" account in favor of another username with admin
> privs.  Should have done this ages ago, of course
>  *   Gone with much more robust (and different per site -- doh!) passwords
> for the account with admin privs
>  *   Set the config parameter to remove file editing capability (I believe
> this is how the files were changed)
>  *   Installed the "exploit scanner" plug-in and review it at least weekly
>  *   Installed the "limit login attempts" plug-in and have it send me
> lockout information
> Since I have taken these measures, the sites have been clean.  Still, the
> sites are under attack, and I get daily notices from "limit login attempts"
> of IPs being locked out due to repeated attempts to login to "admin".  They
> get four tries, after that they get an hour timeout, if they get four hour
> timeouts, they are locked out for a day (and I get a notice).  At least one
> of my sites sends me a notice every day.  Often from this same IP.  At
> least I know they aren't getting more than 16 tries a day :)
> Of course, I could simply put this IP in the .htaccess file, and I will
> likely do that if s/he doesn't give up here soon.  But this has me thinking
> about what WP could do in core to improve defense against brute force
> attacks against accounts with administrator privileges.
> I'd like to see WP have as core functionality at least two things:
>  1.  Limiting of login attempts.  Virtually every system that uses
> username/password to control access has some limit on attempts.  They vary
> widely, but the approach the "limit login attempts" plugin uses is pretty
> good.  I'd like to see this in core.
>  2.  Some recording of logins, at the very least "last login date/time"
> per user.  So when you are logged in, up there near "Howdy" would be "last
> login at: xxx".  If this had been in place, like it is on my bank account
> and many other places (that I check every time I log in), I would likely
> have noticed the brute force break-in days sooner and limited the damage.
> As someone on the other thread noted, WP has done a great job of closing
> up vulnerabilities, but literally every WP site on the planet (all
> 60,000,000 of them) is vulnerable to brute force attacks.  These seem like
> small, relatively easy measures to help defend against them.
> Chris
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list