I’ve been seeing brute-force login attacks on another of my WordPress sites, but instead of targeting typical usernames like admin or extracting post authors, they’re random name and number combinations like Emanuel95A. What use could that possibly be? You’re not likely to hit on an existing user that way.

It turns out it’s not a dictionary attack after all. It’s not really a login attack either, at least not deliberately. It’s actually a bot trying to register new usernames (maybe for spam, maybe in preparation for a privilege escalation attack, who knows?), which explains the name and number combination: they’re actually trying to get a username that’s not already in use.

The bot hasn’t figured out that registration is turned off, so when WordPress redirects it to the login form, it keeps trying to register…in the login form…over and over until it gets locked out. (On a related note, if you don’t have something like the Limit Login Attempts plugin on your site, install one now.)

Because registration was off and repeated logins were blocked, it wasn’t currently a threat, but the alerts for all the lockouts were getting a bit annoying. I decided instead of nicely sending the “user” to the login page, I’d kick back a 403 error instead. Rather than hack WP or write a plugin, I just added a mod_rewrite rule:

# Broken register bots are repeatedly trying to log into the site.
RewriteCond %{QUERY_STRING} (registration=disabled|action=register) [NC,OR]
RewriteCond %{HTTP_REFERER} registration=disabled [NC]
RewriteRule ^wp-login.php - [F,L]

That leaves the form active under most circumstances, but stops everything if it’s been redirected from the registration page.

Update: Brion sums it up over at Google+:

Malware needs better exception handling 😀