If you haven’t done a security audit on your WordPress sites recently, now is the time!
Breaking: Aggressive WordPress Brute Force Attack Campaign Started Today, December 18, 2017, @ 3am UTC
by Mark Maunder, Wordfence
December 18, 2017
A massive distributed brute force attack campaign targeting WordPress sites started this morning at 3am Universal Time, 7pm Pacific Time. The attack is broad in that it uses a large number of attacking IPs, and is also deep in that each IP is generating a huge number of attacks. This is the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hour.
The attack campaign was so severe that we had to scale up our logging infrastructure to cope with the volume when it kicked off, which makes it clear that this is the highest volume attack that we have seen in Wordfence history, since 2012.
The campaign continues to ramp up in volume during the past hour as we publish this post. A graph of the attack volumes is shown below which shows the number of attacks per hour and the number of attacking IPs that we see each hour.
Our infrastructure automatically blacklisted the participating IPs in real-time and distributed those to our Premium customers. This all happened unattended early this morning. We continue to monitor the campaign and are analyzing its origin and who is behind it.
What we know at this time:
- The attack has so far peaked at 14.1 million attacks per hour.
- The total number of IPs involved at this time is over 10,000.
- We are seeing up to 190,000 WordPress sites targeted per hour.
- This is the most aggressive campaign we have ever seen by hourly attack volume.