Over the last year or so we’ve been monitoring WordPress hack attempts. Everyone knows using an account named, “Admin” (which was the default WordPress login years back) is ripe for brute-force login attacks. What’s interesting is that the same sites often get attacked repeatedly with the same login username – but from the same IP – just at later dates.
Recently there’s been a major uptick in these WordPress brute force botnet attacks – while the attackers generally never get through, since we all have strong passwords, it does take away server resources.
Here’s an alphabetical listing of the top 15+ usernames attempted. Of course all capitalization variants are also tried from the differing IPs. Surprisingly, since it’s also easy to determine most usernames on a WordPress install, I’m baffled as to why these particular usernames are the ones in current circulation – I assume it’s just low-hanging fruit.
- Last user attempted: %%%nofind%%%
- Last user attempted: 1234567in
- Last user attempted: aaa
- Last user attempted: adm
- Last user attempted: admin
- Last user attempted: admin1
- Last user attempted: administrator
- Last user attempted: adminka
- Last user attempted: anna
- Last user attempted: contributer
- Last user attempted: manager
- Last user attempted: qwerty
- Last user attempted: root
- Last user attempted: support
- Last user attempted: sysadmin
- Last user attempted: test
- Last user attempted: user
The easiest thing would be to simply move the login page (or access to it) to another location on the server. We’ll see what the folks at Automattic do in the coming months.