WordPress Name+Number Login/Registration Attacks
Iāve been seeing brute-force login attacks on another of my WordPress sites, but instead of targeting typical usernames like admin or extracting post authors, theyāre random name and number combinations like Emanuel95A. What use could that possibly be? Youāre not likely to hit on an existing user that way.
It turns out itās not a dictionary attack after all. Itās not really a login attack either, at least not deliberately. Itās actually a bot trying to register new usernames (maybe for spam, maybe in preparation for a privilege escalation attack, who knows?), which explains the name and number combination: theyāre actually trying to get a username thatās not already in use.
The bot hasnāt figured out that registration is turned off, so when WordPress redirects it to the login form, it keeps trying to registerā¦in the login formā¦over and over until it gets locked out. (On a related note, if you donāt have a plugin to limit login attempts, install one now.)
Because registration was off and repeated logins were blocked, it wasnāt currently a threat, but the alerts for all the lockouts were getting a bit annoying. I decided instead of nicely sending the āuserā to the login page, Iād kick back a 403 error instead. Rather than hack WP or write a plugin, I just added a mod_rewrite rule:
# Broken register bots are repeatedly trying to log into the site.
RewriteCond %{QUERY_STRING} (registration=disabled|action=register) [NC,OR]
RewriteCond %{HTTP_REFERER} registration=disabled [NC]
RewriteRule ^wp-login.php - [F,L]
That leaves the form active under most circumstances, but stops everything if itās been redirected from the registration page.
Update: My sibling sums it up over at Google+:
Malware needs better exception handling š