This website is nothing special. I write about things that interest me, but with others in mind—particularly about topics journalism and technology. There is nothing of value to steal here. The site doesn’t generate enough traffic to warrant planting malware, and there is no advertising; I never intend there to be. This blog should be a low-value hacker target, particularly since I use unique passwords everywhere; compromise here won’t open my other accounts. I suppose a criminal could break in with the intention of dropping a payload, such as keylogger, on my one computer. But, honestly, I am a low-value target, too. I ain’t wealthy, nor do I work for a company with massive assets to steal. So, why, then are there so many failed login attempts by presumed hackers?

I pose the question to anyone with more security expertise than me. Your response could help other people, too. 

The red flag raised last night while I poked around WordPress settings—into one where I rarely go: “Limit Login Attempts”. I set the feature, probably to defaults, years ago. Somehow I missed that the blogging system actually tracks failed logins. To date, and I’m not sure when the start: More than 150,000—and nearly all the most-recently visible use the correct user ID but (thankfully) none the correct password.

I looked up IP addresses, and they originate from all over the world. Pick a country. How about Australia, France, India, or Ukraine, for starters? In preparation for this post, I flipped on the email-admin feature and got more than 100 messages about failed logins during the past 18 hours. Suddenly, the Internet feels a whole lot less safe. This website is my home on the web. Imagine living in a neighborhood where there were 100 attempts to burglarize your house within a day—even if all the criminals did was scout the property or go so far as to see if the alarm system was active.

Reverse IP lookup reveals origins of unauthorized, attempted logins

The barrage is good reason to respect larger websites that are high-value targets, and it makes me marvel that breaches exposing millions peoples’ data aren’t more frequent.

I would love to hear from security experts about the mechanisms and techniques here and also what are the criminals after. Is this botnet activity, pulling together IPs from around the globe? Or are there really so many people out there probing for vulnerabilities?

I’m half tempted to abandon dedicated hosting for WordPress.com, which conceptually offers additional layers of protection. Is that a good idea? For a site as simple as this one, dedicated, managed WP is a luxury I indulge in for flexibility. Which is better?

Depending on responses, and those I get from directly contacting security experts, I may write a formal news analysis. While you can comment here, I recommend messaging me on Facebook, Google+, LinkedIn, or Twitter—where this story crossposts.

3 comments

  1. Bots troll all wordpress sites looking at default directories for logins – generally to add the server to their list of zombie bots. If you’re hosting, best to change default directories for all administrative functions – for example, do *not* use /wp-login

    1. Thanks, Tracy. I use managed WP hosting and believe that the directory structure can’t be changed. Do you think WordPress.com would be better option? Two-Factor authentication is available there. I would need to use a third-party plugin for my site, since the webhost doesn’t provide one, for either the hosting account or for hosted-WP.

  2. You can change the default login address. I had the exact problem you did but after changing wp-login to something else the problem is gone. Security plugin did it. Ithemes security from memory

Leave a Reply