wordpress brute forcing :(

Looks like a fair number of wordpress installations are being brute-forced… SUCCESSFULLY :(

I guess the fix is going to have to be to automate the installation of something like the Limit Login Attempts plugin … but I believe we also need a script to reset admin passwords, certainly for compromised accounts both things need to be done.

Breaking in is no big deal for system administrators with database access, but to be able to change the admin password we need to know what format wordpress stores it as… looks like wordpress can use more than one format, and a straight md5 hash is acceptable… let’s test it!

yes, it does work… but you have to be careful not to include the \n in your hash… e.g. use the -n parameter to echo (no newline).

[root@eleven /var/lib/mysql/tbrowndb]# echo -n 5fHGZX | md5sum
1a5225f15301983e3b962e76a5c2163b  –

mysql -e “update wp_users set user_pass=’1a5225f15301983e3b962e76a5c2163b’ where user_login=’admin'” tbrowndb

That works (sets the admin password to 5fHGZX) … not sure what the default $P$ prefix indicates for a format, should read the code but too busy/lazy. OK, I have written a script to encapsulate this… wp.set.adminpw

So, that leaves figuring out what changes are required to install the limit login attempts plugin… but I don’t _have_ to have that for now… just to scale things, and to fix the installer…