Black Lists Matter

This Wordpress Plugin has logged [brute_count_attacks] failed authentications since activation

The plugin writes failed logins to a custom SQL table and optionally blocks recurring break-in attempts, the data can be used for attack statistics or to create a firewall blocklist.

By reducing the number of allowed login failures from a single host, the attack surface of a plain WordPress site is drastically lowered.

Limiting access to authenticated functions of xmlrpc prevents exploitation of a native (un)security feature that allows an attacker to try hundreds och username and password in a single request.

Se this article for more info on XMLRPC
https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

Configuration

  • Block intervals
    How far back in history to check for an IP, the values are predefined as: Disabled, 1 Hour, 12 Hours, 1 Day & 30 days.
  • Login retries
    number of allowed login failures within “block interval” before banning host.
  • XMLRPC
    Disable features that allow authentication.

The plugin also provides a set of shortcodes for displaying statistics on the frontend.

Shortcode query options

The query type “list” fetches a chronologic group of entries from the database in ascending or descending order, while “top” fetches the list by highest count. The “limit” restrict the number of entries returned.

  • query = list | top
  • field = id | time | ip | name | password
  • limit = (int)
  • sort = ASC | DESC

Top Failed Passwords

brute_table query="top" field="password" limit=10 sort="DESC"
PASSWORDCOUNT
asbra692
admin626
123456533
password391
xn--1ca389
admin123354
pass335
admin@123303
12345288
123456789282

Top Attacking IP

brute_table query="top" field="ip" limit=10 sort="DESC"
IPCOUNT
188.240.208.266270
40.76.40.1173225
13.78.168.134999
193.142.146.202308
20.50.114.95265
89.35.39.180150
85.204.246.240126
188.213.49.21091
5.188.62.14787
5.188.62.14082

Failed Passwords, 24h

brute_table query="top" field="password" limit=10 sort="DESC" interval="1 DAY"
PASSWORDCOUNT
admin5
asbra4
1234564
admin1234
123453
admin12343
pass3
password3
Admin123452
test2

Attacking IP, 24h

brute_table query="top" field="ip" limit=10 sort="DESC"  interval="1 DAY"
IPCOUNT
193.142.146.44
5.189.161.332
148.72.211.1772
185.65.40.1402
37.120.194.1802
52.231.102.1782
103.147.10.2222
8.210.146.1612
51.81.0.1032
166.62.84.1921

Latest Attacks

brute_table limit=10 field="time,ip,name,password" sort="DESC"
TIMEIPNAMEPASSWORD
2021-01-22 18:14:05104.238.125.133asbraxn--1ca123456789
2021-01-22 18:03:0737.120.194.180asbrawin7
2021-01-22 17:59:45138.68.134.78asbraxn--1ca@123
2021-01-22 17:56:30190.202.84.129asbraasbra
2021-01-22 17:47:0137.59.141.40asbraxn--1ca1
2021-01-22 17:32:42203.171.21.225asbraxn--1ca1234
2021-01-22 17:18:04145.239.69.74asbraxn--1ca12345
2021-01-22 17:03:5313.70.199.80asbraxn--1ca123456
2021-01-22 16:50:32162.241.120.67asbraxn--1ca123
2021-01-22 16:36:28185.65.40.140asbraadmin12345678