Top WordPress Attack Passwords

As the creator and one of the maintainers of the SecLists Project, I like creating lists of usernames and passwords that are live and used in the wild.

So I decided to capture some data on what usernames and passwords were being attempted against my site’s WordPress install over a single day. Here are some of my findings:

The attacks are common and constant

1. I logged 56,490 malicious attempts to log into my site over the last 7 days, with massive bursts coming from Vietnam and Ukraine.

The usernames don’t vary that much

The top usernames were:

1. admin (90%)

2. administrator (8%)

3. danielmiessler.com (2%)

The passwords were quite simple

This is to be expected, but it adds gravity to the point that you should have a good password that’s not on this list:

1. admin

2. 123456

3. 123123

4. admin123″

5. password1″

6. abc123″

7. 12341234″

8. querty"

9. pass"

10. administrator"

Some observations

I found a few things interesting about this data.

• Different attacks used widely different lists. In particular, a big attack out of Hanoi didn’t look anything like another attack from Ukraine

• Many of the passwords used closing quotes after the password

Takeaways

Well…don’t use simple passwords.

I’ve added the lists to the SecLists Project under the passwords section.