Whatthe
So I did finally install 2FA-authentication and forced-SSL on my newly Let'sEncrypt-ed blog sites. Along the way, one of the plugins offered to send email notifications about rogue login attacks it's thwarted.
Which leads to the surprise. Between the two blogs, one of them is getting hammered non-stop with automated attempts to log in to the administrator account, the other is getting none. But the one under attack is my old, personal blog, which I have not posted to since 2011, and which is not linked to from anywhere on Earth. The one getting no frontal assault is my FOSS-related blog, which I do post to (admiteddly not frequently) and which is syndicated in the planetsphere.
So what's the attack scenario here? Do automated attackers assume that a more dormant blog is more likely behind on its security updates and/or has more guessable passwords? I'm not clear....
AJ Jordan, clacke@libranet.de ❌, Stephen Michael Kellat, Christopher Allan Webber likes this.
clacke@libranet.de ❌, clacke@libranet.de ❌, Stephen Michael Kellat shared this.
If I were writing an attack bot, I think I would only consider a blog's dormancy as a last resort. First I would try to find what software the blog runs, including version numbers. Then I would use that info to look up default passwords and other known vulnerabilities.
Examining my own blog, for instance, I found my WordPress and JQuery versions just by watching which files got downloaded when I loaded the main page in Firefox:
jquery.js?ver=1.12.4
wp-embed.min.js?v=4.7.2
I would suspect that the age of your blogs is more relevant than their activity level. Your older blog probably got discovered some time ago - including whatever software versions it was running at the time - and added to a list of known blogs they could attack. The list gets passed from person to person. Now some script kiddie gets a copy of it and decides to use your blog for target practice.