My 2014 Brute force attempt details and a WordPress plugin to block attempted passwords

January 1, 2015

I run a WordPress Multisite with about 50 sites running on it. As a matter of curiosity I started tracking failed login attempts this year to share the details with you.

Total Logins: 78,623
Valid: 459 (does not include return visits where the login cookie was set.)
Failed attempts with a valid username: 2,648
Failed attempts with MY username: 1,206
Brute force attempts: 77,181

Average daily attempts: 215

Some quick notes about these numbers; The daily attempts are a rough average. Many of the attempts came in short bursts of several thousand at a time but I do not have the daily breakdown (I have the data but do not want to do the breakdown right now 😉 ).

Moving on to the usernames and passwords…

Total unique passwords: 10,691
Passwords not tried against a valid user account: 10,581

Total unique users: 145
Invalid users: 126

Below I have provided downloads for the users and passwords. These have been sanitized wherever there is a known connection to a legitimate user account. The file downloads are provided in order for others to enhance their own security by comparing user accounts against the provided data to ensure that users do not set passwords on this list. Also a WordPress plugin you can use to block any password changes that match a password on the blacklist. You will need to manually add the table, just run the sql file, and then activate the plugin and it is done.

Screen Shot 2015-01-01 at 7.10.26 PM
Screen Shot 2015-01-01 at 7.10.08 PM

One thought on “My 2014 Brute force attempt details and a WordPress plugin to block attempted passwords

  1. RT @benlobaugh: My 2015 Brute force attempt detail… | Jtsternberg Tweets