Black Lists Matter

This Wordpress Plugin has logged 27310 failed authentications since activation

The plugin writes failed logins to a custom SQL table and optionally blocks recurring break-in attempts, the data can be used for attack statistics or to create a firewall blocklist.

By reducing the number of allowed login failures from a single host, the attack surface of a plain WordPress site is drastically lowered.

Limiting access to authenticated functions of xmlrpc prevents exploitation of a native (un)security feature that allows an attacker to try hundreds och username and password in a single request.

Se this article for more info on XMLRPC
https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

Configuration

  • Block intervals
    How far back in history to check for an IP, the values are predefined as: Disabled, 1 Hour, 12 Hours, 1 Day & 30 days.
  • Login retries
    number of allowed login failures within “block interval” before banning host.
  • XMLRPC
    Disable features that allow authentication.

The plugin also provides a set of shortcodes for displaying statistics on the frontend.

Shortcode query options

The query type “list” fetches a chronologic group of entries from the database in ascending or descending order, while “top” fetches the list by highest count. The “limit” restrict the number of entries returned.

  • query = list | top
  • field = id | time | ip | name | password
  • limit = (int)
  • sort = ASC | DESC

Top Failed Passwords

brute_table query="top" field="password" limit=10 sort="DESC"
PASSWORDCOUNT
asbra792
admin743
123456583
xn--1ca448
password422
admin123386
pass366
admin@123323
12345314
123456789309

Top Attacking IP

brute_table query="top" field="ip" limit=10 sort="DESC"
IPCOUNT
188.240.208.266270
40.76.40.1173225
13.78.168.134999
193.142.146.202383
20.50.114.95265
89.35.39.180150
85.204.246.240126
193.142.146.499
188.213.49.21091
5.188.62.14787

Failed Passwords, 24h

brute_table query="top" field="password" limit=10 sort="DESC" interval="1 DAY"

Attacking IP, 24h

brute_table query="top" field="ip" limit=10 sort="DESC"  interval="1 DAY"

Latest Attacks

brute_table limit=10 field="time,ip,name,password" sort="DESC"
TIMEIPNAMEPASSWORD
2021-04-13 07:36:2413.53.64.97asbrashaggy
2021-04-13 07:36:2413.53.64.97asbrataurus
2021-04-13 07:36:2313.53.64.97asbrabrother
2021-04-13 07:36:2313.53.64.97asbrafyfcnfcbz
2021-04-13 07:36:2313.53.64.97asbraholiday
2021-04-03 01:02:31185.236.42.214asbra132
2021-03-09 15:20:09185.236.42.91asbra343212
2021-03-07 14:21:25185.236.42.91asbramyhome
2021-03-03 18:33:22185.236.42.27asbra10000
2021-03-03 00:23:055.153.234.68asbraadm1