In previous post, I showed you how to possibly discover username on a WordPress site using WPScan. On a regular site without extra layer of security such as 2 factor authentication, username and password are all one needs to gain access to WordPress dashboard.
WPScan has “brute force” option which can brute force test (or say attack if you like) any WordPress site. To use this feature is easy, a valid username and a common password wordlist.
I can’t tell you how easy it is to obtain a popular common password wordlist but I can Google it. What I can tell you is that, during the past year after working with many clients and their hacked sites, it is shocking to me that “admin” are still being used as primary administrator login.
The top 25 common passwords list is just the tip of the iceberg. Other than reading for fun, site administrators should really review their security strategy and re-enforce user password rule on their sites. Bear in mind, by the time you finish reading the 25 passwords list, hacker tools have already finished testing these passwords with a legit username against a WordPress site.
Here’s the list of top 25 worst passwords used in year 2014.
- 123456 (Unchanged)
- password (Unchanged)
- 12345 (Up 17)
- 12345678 (Down 1)
- qwerty (Down 1)
- 123456789 (Unchanged)
- 1234 (Up 9)
- baseball (New)
- dragon (New)
- football (New)
- 1234567 (Down 4)
- monkey (Up 5)
- letmein (Up 1)
- abc123 (Down 9)
- 111111 (Down 8)
- mustang (New)
- access (New)
- shadow (Unchanged)
- master (New)
- michael (New)
- superman (New)
- 696969 (New)
- 123123 (Down 12)
- batman (New)
- trustno1 (Down 1)