To my mind, that's a shocking number of attacks on a relatively small target. It makes me wonder what sort of numbers the really famous sites are seeing, and if they track the data in this way as well.
It's amazing that in nearly-2015, enough people still use passwords like '123456' and 'password' such that they're still at the top of the guessing list in hacking attempts. Some of us will never learn, I guess...
> It makes me wonder what sort of numbers the really famous sites are seeing
Not exactly a famous site, but I thought a larger sample size might be interesting...
We [1] provides shared hosting for about 500 WordPress installations, of widely varying sizes. The sites are mostly static "blogs" for student groups or individual students, with about half on a single domain (www.ocf.berkeley.edu/~something) and others on different subdomains of berkeley.edu.
In the past week, the webserver handled 3,527,157 requests (about 814 MB of uncompressed access logs). 111,409 of those were WordPress login attempts [2].
I was going to compare the list of top IPs with the list in the article, but was surprised to find that there were no shared IPs between the lists. For context, we had 435 unique IPs, 9 with > 1000 requests, and 32 with > 100 requests.
The top ten requestors in the past week are from (cities from whois data):
56742 Kiev, Ukraine
19302 Novosibirsk, Russia
7645 Sofia, Bulgaria
7641 Moscow, Russia
7190 Kiev, Ukraine
6748 Kharkov, Ukraine
2160 Roubaix, France
1041 Kharkov, Ukraine
967 Kuala Lumpur, Malaysia
894 Putian, China
[2] POST requests to wp-login.php. I don't have accurate numbers on how many failed, but to say that less than 250 were legitimate user logins is probably accurate.
A small point here: Roubaix is the town where OVH has its datacenter and exchange point, so this is most probably people renting VMs or VPS in there (like Amazon).
Sorry, I should have clarified. That list is the top 10 IPs by number of requests, not the top 10 cities. I just replaced the actual IPs with the cities in their whois (since I'm not sure I want to post the IPs publicly).
I run a wordpress site for a friend with the work "anonymous" in the domain name. I run WordFence on it with 30min lockouts for failed password attempts from the same IP address. I get ~60 locked out messages a day from it, the vast majority attempting to log in as "admin" (and account which doesn't exist). I have no doubt that it's _continuously_ under attack from several botnets, and that without Wordfence in the way it'd be dealing with thousands of login attempts per day.
Like this article closes with though, non "admin" accounts and strong passwords foil all these lame automated attempts. (I suspect one day it'll get attacked by someone with a Wordpress zeroday, and I'll have to reprovision the vm from scratch - Yay Ansible! - come at me scriptkiddies!)
I don't run a WordPress site, but it seems to me that failed password lockouts should be a standard feature. Even a lockout of say five minutes makes brute-forcing all but the most useless passwords implausible.
I looked up Wordfence. The way it preemptively blocks attacks from all domains that attack any Wordfence user's site is pretty clever.
We used to have to take care of the wordpress sites of a few friends of the CEO. One of them, a middle-aged tech naif, had an admin login that was the same for the username, password, and domain (effectively www.johnsmith.com, johnsmith:johnsmith). I had to 'crack' it to log in to apply an update, as we didn't have a record of what he'd set it to...
I changed the password and emailed him (Well, I emailed 3 times - twice for a polite 'can I change it' and once for 'I have changed it'). No response. 3 months later, the CEO comes along and says "John Smith can't get into his wordpress website, he thinks it's been hacked" :)
It's amazing that in nearly-2015, enough people still use passwords like '123456' and 'password' such that they're still at the top of the guessing list in hacking attempts. Some of us will never learn, I guess...