The May 2017 WordPress Attack Report
Today’s post is a continuation of the WordPress Attack Report series we’ve been publishing since December 2016. Previous versions can be found here: April 2017, March 2017, February 2017, January 2017 and December 2016.
This report contains the top 25 attacking IPs for the month of May and their details. It also includes charts of brute force and complex attack activity for the same period. We also include the top themes and plugins that were attacked, and which countries generated the most attacks for this period.
The Top 25 Attacking IPs
The next section is our standard explanation of how the table below works. If you are familiar with our attack reports, you can skip down to the table below which contains the data for May along with my commentary.
Brief Introduction (If You Are New to Viewing These Reports)
In the table below, we’ve listed the most active attack IPs for May 2017. Note that the “Attacks” column is in millions, and is the total of all attacks that originated from each IP. Farther right in the table (you may have to scroll right) we break down the attacks into “brute force” attacks and “complex” attacks.
Brute force attacks are login-guessing attacks. What we refer to as “complex attacks” are attacks that were blocked by a rule in the Wordfence firewall.
We have also included the netblock owner, which is the organization (usually a company) that owns the block of IP addresses that the attack IP belongs to. You can Google the name of each owner for more information. A Google search for any of these IP addresses frequently shows reports of attacks.
The hostname included is the PTR record (reverse DNS record) that the IP address owner created for the IP, so this is not reliable data, but we still include it for interest. For example, we have seen PTR records that claim an IP is a Tor exit node, when, based on traffic, it is clearly not.
We also include the city and country, if available. To the far right of the report, we show the date in April when we started logging attacks and the date the attacks stopped.
The Top Attacking IPs
The total attacks from the top 25 attacking IPs increased from 137 million in April to 144 million in May.
Brute force attacks made up 72% of total attacks for May, up from 68% in April. Complex attacks accounted for 28%.
Turkey and Ukraine continued to dominate the top 25 list, accounting for 16 of the IPs on the list.
Brute Force Attacks on WordPress in May 2017
In the chart below, we show the number of daily brute force attacks on the sites we monitor for the month of May.
The average number of daily brute force attacks dropped by almost 39% this month – a massive drop in volume after two months of much higher volume. As we wrote about on May 2nd, a home router botnet shut down which had previously been performing brute force password-guessing attacks on WordPress sites. The peak day for the month was also much lower, at just over 30 million versus over 46 million the previous month.
Complex Attacks on WordPress in May 2017
In the graph below, we show the daily complex attacks (attacks that attempt to exploit a security vulnerability) for May.
Average daily attack volume for May was down was down just 6% from April for the sites that Wordfence protects at 5.4 million.
Similar to April, we saw an uptick in volume toward the end of the month, peaking at over 9 million attacks in a single day.
Attacks on Themes in May 2017
The table below shows the total number of attacks on WordPress themes. We identify each theme using its slug, which is the directory where it is installed in WordPress.
There was quite a bit of change in the rankings from last month. Most notably, ypo-theme jumped 30 places in the rankings, going from number 34 to 4.
Based on a quick Google search, that theme doesn’t appear to be available for download anymore. There was quite a bit of content published in 2016 about an Arbitrary File Download vulnerability, so we took a closer look at the attacks to try to figure out what’s behind the spike in attack volume and to see if the two were related.
The first thing we noticed is that the attacks do appear to be attempting to exploit the Arbitrary File Download vulnerability we referenced above. Attackers attempt to download the wp-config.php file from the targeted sites. Secondly, the vast majority of attacks are originating from a small list of IP addresses. Almost 57% of the attacks are coming from 220.127.116.11, an IP from Saint Petersburg, Russia. Over 92% of all attacks are originating from just 10 IPs. We think it’s likely that the surge in attacks on this particular plugin vulnerability can be attributed to a single attacker.
Attacks on Plugins in May 2017
The table below shows the total number of attacks on WordPress plugins. As with themes, we identify each plugin by its unique slug, which is the unique installation directory where the plugin is installed.
Similar to what we saw with themes, the top 25 list for plugins had quite a lot of change. Ten plugins in the top 25 this month weren’t on the list last month. Most of those 10 jumped dramatically in the rankings this month. We took a look at the highest ranked plugin of the 10 newbies, sell-downloads, to see if we could figure out what is behind the increase in “popularity.”
According to WordPress.org, the Sell Downloads plugin has roughly 900 active users. There was a security vulnerability published in December of 2015 that impacts versions 1.0.16, but the current version of the plugin is 1.0.42, so we assume that vulnerability has been fixed for a long time.
We then looked at where the attacks were originating and discovered quite a coincidence: the same IP that was responsible for the surge in attacks on ypo-theme – 18.104.22.168 – was responsible for over 71% of the attacks on this plugin in the month of May. The top 10 IPs were responsible for over 95% of attacks on the plugin.
Attacks by Country for May 2017
The table below shows the top 25 countries from which attacks originated in the month of May on WordPress sites that we monitor.
Country rankings were very stable at the top of the list this year, as is frequently the case. There was quite a bit of movement toward the bottom of the list, but at relatively low volumes.
That concludes our May 2017 WordPress attack report. It was really nice to see the volume of brute force attacks down for the month. We hope that trend continues.