Analysis of WordPress Login Attempts

Wordpress TargetWaiting for the new year party, this is a last quick post in 2014! It’s not the first time that I see a peak of rogue authentication requests against some of the WordPress websites. But for a while, there is a constant flood of IP addresses trying to bruteforce the WordPress login page. This kind of attack is very common and bots are constantly looking for weak passwords. Looking at the Apache (or any other webserver) log files is not relevant because they don’t log the payload of POST requests. I captured all the POST requests in a pcap file for a few weeks and today I decided to generate some stats!

My rough PCAP file contained 241082 login attempts. I extracted all login/password combinations and passed the results to pipal, the password analyzer wrote by @digininja. Nothing special, the classic weak passwords remain tested. Note that 4K requests where made with the login “‘xavier”‘. This means that, at least, there was some preparation made by the attacker.

Here are the complete results:

Total entries = 241082
Total unique entries = 33252

Top 10 passwords
admin = 1581 (0.66%)
123456 = 1002 (0.42%)
admin123 = 717 (0.3%)
123 = 693 (0.29%)
123123 = 690 (0.29%)
12345 = 687 (0.28%)
password = 552 (0.23%)
1234 = 524 (0.22%)
12345678 = 476 (0.2%)
1234567 = 441 (0.18%)

Top 10 base words
admin = 5120 (2.12%)
password = 1368 (0.57%)
qwerty = 988 (0.41%)
leakedin = 736 (0.31%)
pass = 594 (0.25%)
demo = 514 (0.21%)
rootshell = 479 (0.2%)
test = 453 (0.19%)
administrator = 310 (0.13%)
root = 254 (0.11%)

Password length (length ordered)
1 = 733 (0.3%)
2 = 1217 (0.5%)
3 = 3415 (1.42%)
4 = 21005 (8.71%)
5 = 23279 (9.66%)
6 = 72117 (29.91%)
7 = 40167 (16.66%)
8 = 46567 (19.32%)
9 = 11328 (4.7%)
10 = 6636 (2.75%)
11 = 3660 (1.52%)
12 = 6211 (2.58%)
13 = 1445 (0.6%)
14 = 1278 (0.53%)
15 = 619 (0.26%)
16 = 487 (0.2%)
17 = 316 (0.13%)
18 = 155 (0.06%)
19 = 121 (0.05%)
20 = 116 (0.05%)
21 = 57 (0.02%)
22 = 41 (0.02%)
23 = 14 (0.01%)
24 = 36 (0.01%)
25 = 11 (0.0%)
26 = 11 (0.0%)
27 = 9 (0.0%)
29 = 4 (0.0%)
30 = 10 (0.0%)
31 = 2 (0.0%)
32 = 9 (0.0%)
34 = 1 (0.0%)
37 = 1 (0.0%)
51 = 4 (0.0%)

Password length (count ordered)
6 = 72117 (29.91%)
8 = 46567 (19.32%)
7 = 40167 (16.66%)
5 = 23279 (9.66%)
4 = 21005 (8.71%)
9 = 11328 (4.7%)
10 = 6636 (2.75%)
12 = 6211 (2.58%)
11 = 3660 (1.52%)
3 = 3415 (1.42%)
13 = 1445 (0.6%)
14 = 1278 (0.53%)
2 = 1217 (0.5%)
1 = 733 (0.3%)
15 = 619 (0.26%)
16 = 487 (0.2%)
17 = 316 (0.13%)
18 = 155 (0.06%)
19 = 121 (0.05%)
20 = 116 (0.05%)
21 = 57 (0.02%)
22 = 41 (0.02%)
24 = 36 (0.01%)
23 = 14 (0.01%)
26 = 11 (0.0%)
25 = 11 (0.0%)
30 = 10 (0.0%)
32 = 9 (0.0%)
27 = 9 (0.0%)
29 = 4 (0.0%)
51 = 4 (0.0%)
31 = 2 (0.0%)
37 = 1 (0.0%)
34 = 1 (0.0%)

      |                                                                 
      |                                                                 
      |                                                                 
      |                                                                 
      |                                                                 
      | |                                                               
      | |                                                               
      |||                                                               
      |||                                                               
      |||                                                               
     ||||                                                               
    |||||                                                               
    |||||                                                               
    ||||||                                                              
    ||||||| |                                                           
||||||||||||||||||||||||||||||||||||||||||||||||||||                    
0000000000111111111122222222223333333333444444444455
0123456789012345678901234567890123456789012345678901

One to six characters = 121766 (50.51%)
One to eight characters = 208500 (86.49'%)
More than eight characters = 32582 (13.51%)

Only lowercase alpha = 149693 (62.09%)
Only uppercase alpha = 1058 (0.44%)
Only alpha = 150751 (62.53%)
Only numeric = 32379 (13.43%)

First capital last symbol = 590 (0.24%)
First capital last number = 3363 (1.39%)

Single digit on the end = 15856 (6.58%)
Two digits on the end = 5400 (2.24%)
Three digits on the end = 7762 (3.22%)

Last number
0 = 6120 (2.54%)
1 = 17729 (7.35%)
2 = 6062 (2.51%)
3 = 10835 (4.49%)
4 = 5194 (2.15%)
5 = 4687 (1.94%)
6 = 5179 (2.15%)
7 = 4270 (1.77%)
8 = 3774 (1.57%)
9 = 4539 (1.88%)

 |                                                                      
 |                                                                      
 |                                                                      
 |                                                                      
 |                                                                      
 |                                                                      
 | |                                                                    
 | |                                                                    
 | |                                                                    
 | |                                                                    
||||                                                                    
|||||||  |                                                              
||||||||||                                                              
||||||||||                                                              
||||||||||                                                              
||||||||||                                                              
0123456789

Last digit
1 = 17729 (7.35%)
3 = 10835 (4.49%)
0 = 6120 (2.54%)
2 = 6062 (2.51%)
4 = 5194 (2.15%)
6 = 5179 (2.15%)
5 = 4687 (1.94%)
9 = 4539 (1.88%)
7 = 4270 (1.77%)
8 = 3774 (1.57%)

Last 2 digits (Top 10)
23 = 7037 (2.92%)
00 = 2245 (0.93%)
56 = 2065 (0.86%)
11 = 2046 (0.85%)
12 = 2011 (0.83%)
21 = 1795 (0.74%)
34 = 1786 (0.74%)
45 = 1526 (0.63%)
89 = 1090 (0.45%)
88 = 954 (0.4%)

Last 3 digits (Top 10)
123 = 6586 (2.73%)
456 = 1853 (0.77%)
000 = 1562 (0.65%)
234 = 1529 (0.63%)
321 = 1315 (0.55%)
345 = 1268 (0.53%)
111 = 919 (0.38%)
789 = 752 (0.31%)
567 = 650 (0.27%)
678 = 536 (0.22%)

Last 4 digits (Top 10)
3456 = 1597 (0.66%)
1234 = 1503 (0.62%)
2345 = 1252 (0.52%)
3123 = 804 (0.33%)
1111 = 666 (0.28%)
4321 = 622 (0.26%)
4567 = 619 (0.26%)
6789 = 575 (0.24%)
5678 = 518 (0.21%)
0000 = 494 (0.2%)

Last 5 digits (Top 10)
23456 = 1582 (0.66%)
12345 = 1230 (0.51%)
23123 = 800 (0.33%)
34567 = 595 (0.25%)
56789 = 553 (0.23%)
11111 = 521 (0.22%)
45678 = 505 (0.21%)
54321 = 500 (0.21%)
00000 = 348 (0.14%)
77777 = 302 (0.13%)

Character sets
loweralpha: 149693 (62.09%)
loweralphanum: 38766 (16.08%)
numeric: 32379 (13.43%)
mixedalphanum: 6353 (2.64%)
mixedalphaspecialnum: 2454 (1.02%)
loweralphaspecialnum: 2121 (0.88%)
mixedalpha: 1861 (0.77%)
loweralphaspecial: 1754 (0.73%)
upperalpha: 1058 (0.44%)
upperalphanum: 716 (0.3%)
mixedalphaspecial: 504 (0.21%)
upperalphaspecialnum: 414 (0.17%)
specialnum: 398 (0.17%)
special: 276 (0.11%)
upperalphaspecial: 135 (0.06%)

Character set ordering
allstring: 152612 (63.3%)
alldigit: 32379 (13.43%)
stringdigit: 29763 (12.35%)
othermask: 13658 (5.67%)
digitstring: 4853 (2.01%)
stringdigitstring: 3520 (1.46%)
digitstringdigit: 1357 (0.56%)
stringspecialstring: 939 (0.39%)
stringspecialdigit: 664 (0.28%)
stringspecial: 633 (0.26%)
allspecial: 276 (0.11%)
specialstring: 227 (0.09%)
specialstringspecial: 201 (0.08%)

About the sources now:

  • 3552 uniques IP addresses were detected
  • 0.18% of the requests were generated by IPv6 addresses

Here is the top-20 of the source AS numbers:

AS Requests
AS16276 (OVH) 44754
As62639 (CRISSIC) 20089
AS26163 (DATAGRAM) 20079
AS36351 (SOFTLAYER) 20068
AS34233 (SUPERIOR-AS) 18829
AS24940 (HETZNER-AS) 16142
AS14618 (AMAZON-AES) 15950
AS33322 (NDCHOST) 10044
AS27257 (WEBAIR-INTERNET) 9143
AS46606 (UNIFIEDLAYER-AS-1) 8389
AS19715 (YOUBET) 5472
AS30633 (LEASEWEB-US) 5348
AS12874 (FASTWEB) 5292
AS9121 (TTNet) 4812
AS57043 (HOSTKEY-AS) 4471
AS8622 (ISIONUK) 4111
AS50710 (EarthLink-AS) 3611
AS12876 (ONLINE S.A.S.) 3133
AS45538 (VNNIC-ASBLOCK-VN) 1918
AS3352 (Telefonica_de_Espana) 1775

From a time perspective, I had two peaks of attempts as seen on the graph below. Otherwise, the webservers are facing a constant rate of ~20 attempts/hour. Note that the attackers are rate-limited by OSSEC and often temporary blocked.

Wordpress Login Attempts
(Click to enlarge)

6 comments

  1. Try to use a different login page url (default: /wp-login). I change the login page url I no more login attempts.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.