Shared publicly  - 
 
Here's a good Sucuri's article that proves what I see literally every day analyzing access logs of infected WordPress sites and what I wrote about here http://blog.unmaskparasites.com/2012/03/01/weak-passwords-and-tainted-wordpress-widgets/

Almost every WordPress blog is now a target of brute force attacks that try to guess admin passwords.

Read the article and check the list of passwords that you should never use. Anywhere.

Then go and change your password to something strong and make sure you don't use default adminitrator usernames as admin. Actually, the first thing you should do after installing a WordPress blog is create a new user with an administrator role and then remove the default admin user.
Lately we have been seeing many WordPress sites being attacked and hacked through the use of brute force. The administrator leaves the default admin user name and chooses a simple password, and never ...
4
7
Jane Jacquelie Vestil's profile photoxxx yyy's profile photoDomenic DiGirolamo's profile photoFrank Watson's profile photo
4 comments
 
Very insightful, thanks for sharing. Is there a plugin that wordpress users can install to prevent multiple login attempts from the same IP address?
 
I didn't try these plugins but they claim to be doing that:

http://wordpress.org/extend/plugins/better-wp-security/
* Prevent brute force attacks by banning hosts and users with too many invalid login attempts
* Completely turn off the ability to login for a given time period (away mode_ )

http://wordpress.org/extend/plugins/limit-login-attempts/
* Limit the number of retry attempts when logging in (for each IP). Fully customizable

http://wordpress.org/extend/plugins/login-security-solution/
* If a login failure uses data matching a past failure, the pluginslows down response times. The more failures, the longer the delay.This encourages attackers to give up and go find an easier target
* Thoroughly examines the strength of new passwords. ... The tests have caught every password dictionary entry I've tried

http://wordpress.org/extend/plugins/private-wordpress-access-control-manager/
* ... prevent brute force, XSS,SQL, Field Truncation, Session Hijacking and more attacks, slow down attackers, force your users to use strong passwords

http://wordpress.org/extend/plugins/user-security-tools/
* Control for Brute Force: Adds a maximum of failed login attempts within a certain period oftime. If this maximum is achieved, the user is locked

And many more: http://wordpress.org/extend/plugins/search.php?q=brute+force
 
A slight variation of one of these plugins could be: allow a user 2-3 times to login, then start showing a captcha in the login page. Maybe one of those plugins does exactly that.

It would be nice to write about how many of the WordPress sites that you analyze are being attacked by brute-force password guessing, if it's really high, it could explain some recent studies that showed that even up-to-date WP installations are being compromised. It could even be a good idea to engage with WP to have include a brute-force defense in the default installation ...
 
http://wordpress.org/extend/plugins/search.php?q=brute+force
This list shows some creative approaches to dealing with brute-force attacks.

For almost every WordPress blog that I have logs for, I can see numerous brute-force attack attempts. This is definitely a new trend in the last few months. Most of the attacks are not successful (as I can tell) but for some sites I see how attackers log into WordPress using valid admin credentials and modify theme files / widgets, etc. So the chances are the attackers eventually managed to guess admin passwords for those sites. Of course, they could use, say, a key logger or a web form readers on infected computers of blogs' admins, but the increased activity of the WP brute-forcers makes me think that they figured out that such attacks are worthwhile and with millions of WordPress blogs, even 1% with easy-to-guess passwords can be a significant number.

However, the most prevalent attack vectors are still vulnerabilities in WordPress themes and plugins and stolen FTP credentials.
Add a comment...