Research: Finding the source of the current surge in brute force attacks on WordPress sites.
This entry was posted in WordPress Security on April 18, 2014 by Mark Maunder 39 Replies
As you can see on our home page there is a large brute force attack underway that started around 10am Pacific Time yesterday (Thursday the 17th of April).
As part of our ongoing research into WordPress attacks we’re analyzing the source of the attacks and can share the following data:
- The vast majority of the attacks originate from other servers on the Net that are hosting other websites. In other words, we are seeing most of the attacks originating from IP addresses that exist on networks belonging to website hosting companies. The majority of these are WordPress hosting companies. [As opposed to seeing the attacks coming from broadband subscribers which would indicate a desktop virus or malware attacking WordPress sites, for example.]
- These machines have likely been compromised, malware has been installed and they are being used to launch attacks on other WordPress sites.
- In the past 2 hours we have seen 614,610 failed logins, to give you a sense of the scale of the current attack.
- Approximately 17% of those originate from a single European hosting company. We have reached out to this organization via backchannels to gather more data and report the compromised WordPress hosts.
- Over 30% of the attacks originate from 3 hosting companies in France, the USA and Berlin in that order. We are working with all three companies via backchannels.
- There are a total of 1297 IP addresses that are currently involved in the attack and 304 of them have generated over 1000 failed login attempts each across our network of WordPress sites using Wordfence.
- The worst culprit is based in Michigan, USA and has generated over 22,000 failed logins across WordPress sites in the past 2 hours.
- The next worst are in Germany and St Petersburg, Russia and have generated 17,833 and 15,511 failed logins respectively during the past 2 hours.
To try to mitigate this attack we are reaching out to hosting companies, reporting infected IP’s on their network and establishing a data sharing relationship in order to help prevent future attacks.
Mark Maunder – Wordfence CEO.