Black Lists Matter

This Wordpress Plugin has logged 16002 failed authentications since activation

The plugin writes failed logins to a custom SQL table and optionally blocks recurring break-in attempts, the data can be used for attack statistics or to create a firewall blocklist.

By reducing the number of allowed login failures from a single host, the attack surface of a plain WordPress site is drastically lowered.

Limiting access to authenticated functions of xmlrpc prevents exploitation of a native (un)security feature that allows an attacker to try hundreds och username and password in a single request.

Se this article for more info on XMLRPC
https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

Configuration

  • Block intervals
    How far back in history to check for an IP, the values are predefined as: Disabled, 1 Hour, 12 Hours, 1 Day & 30 days.
  • Login retries
    number of allowed login failures within “block interval” before banning host.
  • XMLRPC
    Disable features that allow authentication.

The plugin also provides a set of shortcodes for displaying statistics on the frontend.

Shortcode query options

The query type “list” fetches a chronologic group of entries from the database in ascending or descending order, while “top” fetches the list by highest count. The “limit” restrict the number of entries returned.

  • query = list | top
  • field = id | time | ip | name | password
  • limit = (int)
  • sort = ASC | DESC

Top Failed Passwords

brute_table query="top" field="password" limit=10 sort="DESC"
PASSWORDCOUNT
asbra282
admin273
123456204
xn--1ca175
password158
pass153
admin@123142
admin123138
12345118
asbra123103

Top Attacking IP

brute_table query="top" field="ip" limit=10 sort="DESC"
IPCOUNT
188.240.208.266270
40.76.40.1173225
13.78.168.134999
20.50.114.95265
89.35.39.180150
85.204.246.240126
188.213.49.21091
5.188.62.14030
157.55.181.25520
35.222.6.24520

Failed Passwords, 24h

brute_table query="top" field="password" limit=10 sort="DESC" interval="1 DAY"

Attacking IP, 24h

brute_table query="top" field="ip" limit=10 sort="DESC"  interval="1 DAY"

Latest Attacks

brute_table limit=10 field="time,ip,name,password" sort="DESC"
TIMEIPNAMEPASSWORD
2020-09-29 18:50:2613.84.37.240asbragimboroot
2020-09-29 18:50:2513.84.37.240asbra12345
2020-09-29 18:50:2513.84.37.240asbra123123
2020-09-29 18:50:2413.84.37.240asbra123
2020-09-29 18:50:2413.84.37.240asbrapassword
2020-09-29 18:50:2413.84.37.240asbraadmin@123
2020-09-29 18:50:2413.84.37.240asbraadmin123
2020-09-29 18:50:2313.84.37.240asbra123456
2020-09-29 18:50:2313.84.37.240asbrapass
2020-09-29 18:50:2313.84.37.240asbraadmin