Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

The August 2017 WordPress Attack Report

This entry was posted in Monthly Attack Activity Report, WordPress Security on September 15, 2017 by Dan Moen   6 Replies

This is the ninth edition of the WordPress Attack Report series we’ve been publishing since December 2016. You can find reports from the previous months here:

This report contains the top 25 attacking IPs for the month of August and their details. It also includes charts of brute force and complex attack activity for the same period. We also include the top themes and plugins that were attacked and which countries generated the most attacks for this period.

The Top 25 Attacking IPs

The next section is our standard explanation of how the table below works. If you are familiar with our attack reports, you can skip down to the table below this section, which contains the data for August along with some commentary.

Brief Introduction (If You Are New to Viewing These Reports)

In the table below, we’ve listed the most active attack IPs for August 2017. Note that the “Attacks” column is in millions, and is the total of all attacks that originated from each IP. Farther right in the table (you may have to scroll right) we break down the attacks into “brute force” attacks and “complex” attacks.

Brute force attacks are login-guessing attacks. You can learn more about how brute force attacks work in our Learning Center article about them. What we refer to as “complex attacks” are attacks blocked by a rule in the Wordfence firewall.

We have also included the netblock owner, which is the organization (usually a company) that owns the block of IP addresses that the attack IP belongs to. You can Google the name of each owner for more information. A Google search for any of these IP addresses frequently shows reports of attacks.

The hostname included is the PTR record (reverse DNS record) that the IP address owner created for the IP, so this is not reliable data, but we still include it for interest. For example, we have seen PTR records that claim an IP is a Tor exit node, when, based on traffic, it is clearly not.

We also include the city and country, if available. To the far right of the report, we show the date in August when we started logging attacks and the date the attacks stopped.

The Top Attacking IPs

The total attacks from the top 25 attacking IPs increased by almost 9% from August.

Brute force attacks made up 91% of total attacks for August, up from 87% in July, which we had thought was an amazing number. Complex attacks accounted for 9% of the volume.

The United States dominated the list this month, with 13 of the top 25 IPs. Ukraine had the second most IPs with 7. Turkey was notably absent from the top 25 this month.

Brute Force Attacks on WordPress in August 2017

In the chart below, we show the number of daily brute force attacks on the sites we monitor for the month of August.

 

The average number of daily brute force attacks was down 9% from last month after growing the previous two months. Daily attack volumes were stable for most of the month, but plummeted on the 27th, dropping by roughly half for the final five days.

Complex Attacks on WordPress in August 2017

In the graph below, we show the daily complex attacks (attacks that attempt to exploit a security vulnerability) for August.

Average daily attack volume for August was up 1% from August for the sites that we protect at 7.8 million. Daily volume was stable throughout the month, similar to what we saw in July.

Attacks on Themes in August 2017

The table below shows the total number of attacks on WordPress themes. We identify each theme using its slug, which is the directory where it is installed in WordPress.

As usual we saw a lot of movement in the top 25 in August compared to July. The biggest move  on the list was the ‘twentyseventeen’ theme, moving up 95 spots to #2. Another big mover, the ‘sketch’ theme, moved up 34 spots to #6. Looking at the attacks involving both, they appear to be probe requests, looking for vulnerabilities that can be exploited in a subsequent request. We do not believe the attackers were attempting to compromise a vulnerability in these themes directly; rather, they were referencing very common themes in the probe requests.

Another big mover on the list is the ‘nemesis’ theme, a premium WordPress theme that has been around since 2012. All of those attacks attempted to exploit a vulnerability in TimThumb versions <= 1.33, so we assume that the the theme included a vulnerable version of TimThumb some time in the past. The attacks appear to be coming from at least one large botnet as we saw attacks from 1637 unique IP addresses.

Attacks on Plugins in August 2017

The table below shows the total number of attacks on WordPress plugins. As with themes, we identify each plugin by its unique slug, which is the unique installation directory where the plugin is installed.

As usual the top 25 list for plugins was pretty stable at the top with quite a bit of movement toward the bottom. There were 8 plugins on the list that weren’t in the top 25 in July. We looked into the details behind the first big mover toward the top of the list, ‘formcraft’. Almost all of the attacks were malicious file upload attacks, likely attempting to exploit a vulnerability that was made public in February of 2016.

We took a look at the attacks on the next highest big mover, ‘easyrotator-for-wordpress’, and found that almost all of the requests appear to be attempting to probe for and in some cases send commands to back door files. Over 30 thousand unique sites were hit with these attacks, so we assume that the attacker was looking for backdoors that another attacker had already installed versus communicating with back doors they had installed themselves.

The next big mover on the list, ‘hb-audio-gallery-lite’, moved up as a result of attempts to exploit a vulnerability that has been public since March of 2016. Over 89% of the attacks originated from just two IP addresses.

Another big mover, ‘rb-agency’, saw attempts to exploit a vulnerability made public in September of 2016. Interestingly, over 91% of the attacks originated from the same two IP addresses responsible for the majority of the ‘hb-audio-gallery-lite’ attacks.

Attacks by Country for August 2017

The table below shows the top 25 countries from which attacks originated in the month of August on WordPress sites that we monitor.

The top of the list was pretty stable, with the United States and Russia trading places at the top and the Ukraine holding at number 3.

Conclusion

That concludes our August 2017 WordPress attack report. It was nice to see attack volumes drop off at the end of the month, and we hope that trend continues through the month of September.

Did you enjoy this post? Share it!


4.67 (12 votes) Your rating:

6 Comments on "The August 2017 WordPress Attack Report"

Bob September 15, 2017 at 11:11 am • Reply

I always like and appreciate these reports. I try to block the top countries on the list except for USA since I do not do business with them anyway. Thanks.

Ken Cline September 15, 2017 at 11:27 am • Reply

I think an interesting addition to this would be a trailing-year average. I realize you don't have quite a full year yet, but there's enough history to show the larger trend.

Dan Moen September 15, 2017 at 11:36 am • Reply

Thanks Ken, that's a good idea.

David Norwood September 15, 2017 at 3:59 pm • Reply

thank you for the Banned ip list. I hate those hackers. I wish there was a way to reverse hack them. Has anyone ever done that?

Dan Moen September 15, 2017 at 4:22 pm • Reply

I'm sure plenty of people attempt to hack back, but it's illegal at least in the United States. Check out the Computer Fraud and Abuse Act: https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act.

Hans Fransen September 16, 2017 at 5:20 am • Reply

Chapeau!

Keep going with the good work, a job that will be a lifetime's work for some of us.

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.