The June 2017 WordPress Attack Report
Today’s post is a continuation of the WordPress Attack Report series we’ve been publishing since December 2016. Previous months’ reports can be found here:
This report contains the top 25 attacking IPs for the month of June and their details. It also includes charts of brute force and complex attack activity for the same period. We also include the top themes and plugins that were attacked, and which countries generated the most attacks for this period.
The Top 25 Attacking IPs
The next section is our standard explanation of how the table below works. If you are familiar with our attack reports, you can skip down to the table below this section, which contains the data for June along with some commentary.
Brief Introduction (If You Are New to Viewing These Reports)
In the table below, we’ve listed the most active attack IPs for June 2017. Note that the “Attacks” column is in millions, and is the total of all attacks that originated from each IP. Farther right in the table (you may have to scroll right) we break down the attacks into “brute force” attacks and “complex” attacks.
Brute force attacks are login-guessing attacks. (You can learn more about how brute force attacks work in our Learning Center’s article about them.) What we refer to as “complex attacks” are attacks that were blocked by a rule in the Wordfence firewall.
We have also included the netblock owner, which is the organization (usually a company) that owns the block of IP addresses that the attack IP belongs to. You can Google the name of each owner for more information. A Google search for any of these IP addresses frequently shows reports of attacks.
The hostname included is the PTR record (reverse DNS record) that the IP address owner created for the IP, so this is not reliable data, but we still include it for interest. For example, we have seen PTR records that claim an IP is a Tor exit node, when, based on traffic, it is clearly not.
We also include the city and country, if available. To the far right of the report, we show the date in June when we started logging attacks and the date the attacks stopped.
The Top Attacking IPs
The total attacks from the top 25 attacking IPs decreased slightly from 144 million in May to 133 million in June.
Brute force attacks made up 67% of total attacks for June, up from 72% in May. Complex attacks accounted for 33%.
Ukraine had the most IPs on the top 25 list with 7, followed by the United States with 7.
Brute Force Attacks on WordPress in June 2017
In the chart below, we show the number of daily brute force attacks on the sites we monitor for the month of June.
The average number of daily brute force attacks increased 36% from last month, a return to “normal volumes” after a relatively quiet May. As we discussed in our June 15th post, a home router based botnet resumed attacking mid-month. The peak day for the month was much higher, at over 41 million versus just over 30 million in May.
Complex Attacks on WordPress in June 2017
In the graph below, we show the daily complex attacks (attacks that attempt to exploit a security vulnerability) for June.
Average daily attack volume for June was up 32% from May for the sites that Wordfence protects at 7.2 million.
Attack volume was quite a bit higher in the second half of the month, peaking at over 11 million attacks in a single day.
Attacks on Themes in June 2017
The table below shows the total number of attacks on WordPress themes. We identify each theme using its slug, which is the directory where it is installed in WordPress.
As usual, there was quite a bit of change in the rankings from last month. There were four new themes on the list: elegance, awake, infocus and dejavu. The large majority of the attacks on all of the themes are attempts to exploit a well known vulnerability in a php file they all shared that was publicly disclosed a few years ago. Almost 98% of these attacks originate from just two IP addresses: 188.8.131.52 and 184.108.40.206. Both are from the same ISP: SpeciaList S.R.L. in the Netherlands. The jump in attack volume is almost certainly due to the actions of a single attacker.
Attacks on Plugins in June 2017
The table below shows the total number of attacks on WordPress plugins. As with themes, we identify each plugin by its unique slug, which is the unique installation directory where the plugin is installed.
The top 25 list for plugins also changed quite a bit. Five plugins in the top 25 this month weren’t on the list in May.
We took a look at the plugin with the biggest jump in the ranking, dzs-zoomsounds, to see what is behind the increase. The attacks are all malicious file upload attempts, trying to exploit a vulnerability that was disclosed over two years ago. Over 99% of the attacks originate from the same Russian IP address: 220.127.116.11.
Attacks by Country for June 2017
The table below shows the top 25 countries from which attacks originated in the month of June on WordPress sites that we monitor.
The top 3 countries remained stable, with the United States and Ukraine swapping places at 2 and 3. There was a lot of movement at the bottom of the list, primarily driven by the home router botnet resuming its attacks. You’ll notice that Algeria is back on the list, climbing 65 spots. It was Algeria’s rise in the rankings in our March report that led to our original discovery of the home router botnet.
That concludes our June 2017 WordPress attack report. We were disappointed to see attack volumes up in June after a quieter-than-normal May. Let’s hope that trend reverses itself in July.