WordPress login attempts – observations and conclusions

According to some sources, WordPress  powers approximately 18.9% of all known websites. Not sure of the exact specifics and I don’t think it’s relevant to question them, but I think most people agree that a lot of websites are using WordPress. Which makes it a clear target for both mass and targeted online attacks. Given the fact that like with other software or systems, a lot of WordPress installations are poorly managed by their users from a security perspective, especially when it comes to updates and proper credentials, the ease of compromise increases attracting even more attackers.

Several months ago I decided to install a plugin that would record the WordPress login attempts on my blog. It was interesting to see that even for a relatively low traffic blog, I still got bombarded with dictionary attacks and manual login attempts on a daily basis. A daily average of 187,6 as it can be seen in the stats below.

wp login attempt overview

I would have expected that there would be mostly dictionary attacks with the classic username and passwords, like admin:admin and admin:12345. But it wasn’t like that. Of course it included that (a lot) but 4 of the top 10 most tried usernames were linked to the domain name / author.


wp login attempt usernames

Not the same goes for passwords, as only 2 of the top 10 most tried passwords were related to the domain. The rest were part of the worst password list.


wp login attempt passwords

Curious facts

User agent strings

Most user-agent strings used by the scripts/attackers were related to Firefox or Chrome (Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36). Some of them were like the ones below :






After a quick google search I can see that it’s present in other weblogs out there. No idea what kind of ruby script is responsable for that. If you have any ideas, please leave a comment below.


Some usernames were really straight out of some weird dictionaries, including:





Top 10 most “insistent” IPs.

top 10 login attempt ips may september

For a downloadable list go to Resources.

Avoid getting owned

The most easiest way to avoid getting owned by such attacks is to have proper credentials. No lame top 100 worst passwords and no common/user and domain related usernames. Period. Of course there are other ways of getting owned even if you have strong credentials but that depends on many factors. Using HTTPS on your website and not transmitting passwords in plain text can also prevent credential leaking while eavesdropping on your connection.

If invalid login attempts are becoming a problem (like starting to have a DoS effect on the website, eating up resources, or just plain annoying)

Not placing WordPress files in web root

I’ve noticed at some other friends blogs that they had hit rate of 0 , by having their WordPress files in a folder located on root. His folder name is “wordpress” and as well as wordpress installations on the web root, there are automated tools to target it (and most likely for other folder names like “blog” and “wp”), even though it wasn’t the case for him. So a good name would a not common one to be included in such dictionary attack scripts.

Replacing the login link with another

WordPress authenticates at /wp-login.php, people usually access it from /wp-admin or /admin.All scripts and malicious visitors usually go straight to those links.

Password protecting the login page

Adding basic authentication via .htaccess or web hosting control panel can do the trick. If not, there’s probably a Wordpress plugin that can do that.

Banning IPs after failed login attempts or known malicious IPs

Temporary or permanent banning of IPs can help cut the annoyance. Depending the IPs (if their attackers or just zombie PCs) you might not want to permanently ban them as you can cut some traffic from your website. Wordfence is a plugin that can do the trick.

Add 2 factor authentication

There are a lot of ways of implementing this in WordPress. A free choice would be Google Authenticator.



It would be interesting to have a centralized database of failed login attempts from WordPress installations from different countries/IP ranges. By having this, we can learn more about compromised PCs being used as bots, and their associated IPs, as well as dictionaries being used. If you have a self hosted WP blog and find this interesting too, send me an email and let’s see how we can get more data.

References and resources: