The April 2017 WordPress Attack Report

Today we are releasing the WordPress Attack Report for April, 2017. You can also find these previous attack reports on our blog:

This report contains the top 25 attacking IPs for the month of April and their details. It also includes charts of brute force attack activity and complex attack activity for the period. We also include the top themes and plugins that were attacked and which countries generated the most attacks for the period.

The Top 25 Attacking IPs

I’m including our standard explanation of how the table below works. If you are familiar with our attack reports, you can skip down to the table below which contains the April data and read my comments that follow the table.

Brief introduction if you are new to viewing these reports

In the table below we have listed the most active attack IPs for April 2017. Note that the ‘Attacks’ column is in millions and is the total of all attacks that originated from each IP. Further right in the table (you may have to scroll right) we break out the attacks into ‘brute force’ attacks and ‘complex’ attacks.

Brute force attacks are login guessing attacks. What we refer to as ‘complex’ attacks are attacks that were blocked by a rule in the Wordfence firewall.

We have also included the netblock owner, which is the organization, usually a company, that owns the block of IP addresses that the attack IP belongs to. You can Google the name of the owner for more information. A Google search for any of these IP addresses frequently shows reports of attacks.

The hostname included is the PTR record (reverse DNS record) that the IP address owner created for their IP, so this is not reliable data but we include it for interest. For example, we have seen PTR records that claim the IP is a Tor exit node, but it is clearly not, based on traffic.

We also include the country and city if available. To the far right of the report we show the date in April when we started logging attacks and the date attacks stopped.

The Top Attacking IPs

The total attacks from our top 25 attackers increased from 118 million in March to 137 million total attacks on WordPress sites from these IP addresses in April 2017.

The distribution of brute force attacks compared to complex attacks among the top 25 attackers remained roughly the same. 32% of attacks on WordPress sites in April were complex attacks. 68% were brute force attacks. Brute force attacks remain by far the most popular attack method on WordPress sites.

Turkey made up a total of 11 of our top 25 attacking IPs in April. There are a total of 5 separate ISPs in Turkey that contributed to the top 25 attacking IPs.

Brute Force Attacks on WordPress in April 2017

The chart below shows the brute force attack activity on WordPress sites that we monitor for the month of April.

The average number of daily brute force attacks from March to April 2017 is amazingly consistent. We saw almost exactly 35 million average attacks per day for both months. There was a slight upward trend in volume during the month and about the same level of volatility. The peak in March was just over 45 million attacks in a single day and the lowest day was at the beginning of the month with 27 million brute force attacks in a single day.

Complex Attacks on WordPress in April 2017

The graph below shows complex attacks (attacks that try to exploit a vulnerability) for the month of April 2017.

We saw an uptick in complex attack activity in April on WordPress sites that Wordfence protects. The daily average increased from 3.8 million attacks per day to 5.9 attacks per day.

We also saw a significant upward swing in attacks towards the end of the month with the daily total complex attacks on WordPress sites approaching 10 million.

Attacks on Themes in April 2017

The table below shows the total number of attacks on WordPress themes. We identify each theme using it’s ‘slug’ which is the directory in which it is installed in WordPress.

The most commonly attacked themes on WordPress for the month of April is surprisingly stable. Almost all themes in our top 25 were also in the list last month with a slight reshuffling.

Attacks on Plugins in April 2017

The table below shows the attacks we saw on plugins across the sites Wordfence protects. As with themes, we identify each plugin by its unique ‘slug’ which is the unique installation directory where the plugin is installed.

The biggest gainer in our top 25 most attacked plugins is the “N-Media Post Front-end Form”. The plugin author fixed a file upload vulnerability about 7 months ago. The vulnerability was disclosed in August 2015, so was in the wild for a long time before it was fixed, which is probably why it became part of many attack toolkits even though it only has 60 active installs. It is important to note that the large majority of these attacks are attempting to exploit vulnerabilities that have already been fixed.

Attacks by Country for April 2017

The table below shows the top 25 countries that attacks originated from in the month of April on WordPress sites that we monitor.

Our usual suspects are still at the top of the list of the top countries from where attacks on WordPress originate. The most remarkable thing about the list is that Algeria is still in the top 25. The home router botnet we wrote about in early April continued attacking WordPress sites throughout the month of April.

We published a post 48 hours ago in which we explained that there was a dramatic drop in attacks on WordPress from hacked routers around the world. The drop occurred rapidly when you consider the scale of attacks. This includes attacks from Algeria and we expect that Algeria may drop out of the top 25 list completely in next months report if the home router botnet remains shut down.

Conclusion

That concludes our attack report for the month of April 2017. As always we will continue to monitor attack activity on WordPress sites in real-time. If you have any questions or comments about the report, as always I welcome your feedback in the comments and I’ll do my best to reply.

Mark Maunder – Wordfence Founder/CEO.

Did you enjoy this post? Share it!

Comments

17 Comments
  • Thanks for all your effort and your passion for protecting WordPress web sites. I have used Wordfence since I first had a web site. I can't understand why anyone would not use it.

    I just thought I would let you know how much your work is appreciated by me.

    Thanks again.

    David Oliver

    • Thanks David.

  • Turkey is upside down now and no wonder there is a lot of stuff coming from that country. With what their current government is doing and what the rebels against the government are doing, all nefarious stuff.

    I would suggest to anyone who has a premium account is to place a block to the country of Turkey and immediately block all IP's from them. Of course, that won't help if you are in Turkey and using Wordfence.

    • I do not think that you should mix-up the political situation in Turkey with the increase of the amount of attacks coming from there, and that one should block Turkey. Do not put all Turkish under general suspicion because of that situation! There are still serious journalists who need information from outside, and share their information abroad.

  • Typo: The most remarkable *think* about the list

    • Thanks Mike. Fixed.

  • Thanks for taking effort to create an awareness. Till time I am not using wordfence for my website, but now i will definitely use this. Thanks for great tabulation and presenting valuable data.

  • Your reports are great as is your plugin! But would you please be so kind as to clarify the name of the plugins and themes a bit better? I was afraid that I might use db-backup but got confused by the many plugins which are shown when searching from within my WordPress site. But not any with the name "db-backup"...
    Fortunately (?) I use WP-DBManager and Dropbox Backup and Restore :)

    • I'd love to but it's a bit labor intensive. We only log the plugin slug when logging attacks, so I'd have to manually look up the names of all plugins for the report. In some cases they are commercial plugins that are no longer supported so the name is hard to find. Will try to do it for next report if I have time. Thanks for the feedback.

      • Would it be a good idea to add some of the worst IPs to .htaccess files so they don't eat up bandwidth and spam my online forms for non-wordpress sites?

        • You could, but the IPs change frequently.

  • Just subscribed to your clean up 149 dollar.. Im sure it will be worth the buck.. thanks for great information about hacking, spam etc.. Knowledge is power against fraudulent people/hackers..

    Keep it up..

  • Thanks Mark, wow so many attacks from those top attacking IPs.

    I have other Non-wordpress sites on same server (mainly static or php sites) so they don't have the benefit of Wordfence to block brute force attacks.

    Would it be a good idea for me to add some of the worst IPs to the .htaccess file so they don't eat up bandwidth and spam my online forms?

    eg:
    Order Deny,Allow
    Deny from 193.201.224.205
    Deny from 192.187.98.42
    Deny from 185.159.36.6
    Deny from 91.200.12.15
    Deny from 91.200.12.49
    Deny from 160.202.162.19

    Thanks for your time and advice, cheers, Ian

    • This is exactly the way I use to block IPs whose owners try to login to my site most frequently. For me, it works very well.

  • thanks for all your effort on wp

  • Looking at the source IP list, I realized that by sorting by IP rather than attacks, that networks 4 networks account for about 100M attacks last month. One in Turkey shows up in several spots in the list. So I blocked all 4 of them - buh bye.

  • Thanks for all your effort and your passion for protecting my web site WordPress.
    I have used Wordfence since I first had a web site.