Today we are releasing the WordPress Attack Report for April, 2017. You can also find these previous attack reports on our blog:
This report contains the top 25 attacking IPs for the month of April and their details. It also includes charts of brute force attack activity and complex attack activity for the period. We also include the top themes and plugins that were attacked and which countries generated the most attacks for the period.
The Top 25 Attacking IPs
I’m including our standard explanation of how the table below works. If you are familiar with our attack reports, you can skip down to the table below which contains the April data and read my comments that follow the table.
Brief introduction if you are new to viewing these reports
In the table below we have listed the most active attack IPs for April 2017. Note that the ‘Attacks’ column is in millions and is the total of all attacks that originated from each IP. Further right in the table (you may have to scroll right) we break out the attacks into ‘brute force’ attacks and ‘complex’ attacks.
Brute force attacks are login guessing attacks. What we refer to as ‘complex’ attacks are attacks that were blocked by a rule in the Wordfence firewall.
We have also included the netblock owner, which is the organization, usually a company, that owns the block of IP addresses that the attack IP belongs to. You can Google the name of the owner for more information. A Google search for any of these IP addresses frequently shows reports of attacks.
The hostname included is the PTR record (reverse DNS record) that the IP address owner created for their IP, so this is not reliable data but we include it for interest. For example, we have seen PTR records that claim the IP is a Tor exit node, but it is clearly not, based on traffic.
We also include the country and city if available. To the far right of the report we show the date in April when we started logging attacks and the date attacks stopped.
The Top Attacking IPs
The total attacks from our top 25 attackers increased from 118 million in March to 137 million total attacks on WordPress sites from these IP addresses in April 2017.
The distribution of brute force attacks compared to complex attacks among the top 25 attackers remained roughly the same. 32% of attacks on WordPress sites in April were complex attacks. 68% were brute force attacks. Brute force attacks remain by far the most popular attack method on WordPress sites.
Turkey made up a total of 11 of our top 25 attacking IPs in April. There are a total of 5 separate ISPs in Turkey that contributed to the top 25 attacking IPs.
Brute Force Attacks on WordPress in April 2017
The chart below shows the brute force attack activity on WordPress sites that we monitor for the month of April.
The average number of daily brute force attacks from March to April 2017 is amazingly consistent. We saw almost exactly 35 million average attacks per day for both months. There was a slight upward trend in volume during the month and about the same level of volatility. The peak in March was just over 45 million attacks in a single day and the lowest day was at the beginning of the month with 27 million brute force attacks in a single day.
Complex Attacks on WordPress in April 2017
The graph below shows complex attacks (attacks that try to exploit a vulnerability) for the month of April 2017.
We saw an uptick in complex attack activity in April on WordPress sites that Wordfence protects. The daily average increased from 3.8 million attacks per day to 5.9 attacks per day.
We also saw a significant upward swing in attacks towards the end of the month with the daily total complex attacks on WordPress sites approaching 10 million.
Attacks on Themes in April 2017
The table below shows the total number of attacks on WordPress themes. We identify each theme using it’s ‘slug’ which is the directory in which it is installed in WordPress.
The most commonly attacked themes on WordPress for the month of April is surprisingly stable. Almost all themes in our top 25 were also in the list last month with a slight reshuffling.
Attacks on Plugins in April 2017
The table below shows the attacks we saw on plugins across the sites Wordfence protects. As with themes, we identify each plugin by its unique ‘slug’ which is the unique installation directory where the plugin is installed.
The biggest gainer in our top 25 most attacked plugins is the “N-Media Post Front-end Form”. The plugin author fixed a file upload vulnerability about 7 months ago. The vulnerability was disclosed in August 2015, so was in the wild for a long time before it was fixed, which is probably why it became part of many attack toolkits even though it only has 60 active installs. It is important to note that the large majority of these attacks are attempting to exploit vulnerabilities that have already been fixed.
Attacks by Country for April 2017
The table below shows the top 25 countries that attacks originated from in the month of April on WordPress sites that we monitor.
Our usual suspects are still at the top of the list of the top countries from where attacks on WordPress originate. The most remarkable thing about the list is that Algeria is still in the top 25. The home router botnet we wrote about in early April continued attacking WordPress sites throughout the month of April.
We published a post 48 hours ago in which we explained that there was a dramatic drop in attacks on WordPress from hacked routers around the world. The drop occurred rapidly when you consider the scale of attacks. This includes attacks from Algeria and we expect that Algeria may drop out of the top 25 list completely in next months report if the home router botnet remains shut down.
That concludes our attack report for the month of April 2017. As always we will continue to monitor attack activity on WordPress sites in real-time. If you have any questions or comments about the report, as always I welcome your feedback in the comments and I’ll do my best to reply.
Mark Maunder – Wordfence Founder/CEO.