A new report shows that Russia maintains the top position among top 25 countries attacking WordPress, the world’s most popular website builder and content management system.
The February 2017 WordPress Attack Report just released shows that Russia maintained the top position it occupied in January among the top 25 attacking countries with the total of 181 attacks.
Closely following Russia is the United States of America that occupies the second spot with the total of 73 attacks after climbing 3 places from the 5th position it occupied in January, while France remained in 3rd spot with no changes.
The most notable change in this category remains Indonesia, which made its debut on the top 25 by climbing 19 places since last month.
The Philippines and Malaysia are also big gainers climbing 12 and 10 places respectively, according to the WordPress Attack Report.
In the top 25 most active IPs, Turkish provider “Ideal Hosting” generated 23.85 million attacks from 9 IPs as demonstrated in the data presented by WordPress. 9 attacking IP addresses are on the same Ideal Hosting network based in Turkey with the AS number 29262.
“Ideal Hosting provides managed services with ports speeds up to 10Gbps. Their website includes full contact info, so we don’t think that they are a bullet proof host but are instead just suffering from a severe security problem across multiple IP addresses. They may be leasing dedicated servers to a smaller hosting provider who is not securing the servers correctly, providing an attack platform”, according to the WordPress report,
The report also says that all of the attacks from this network were brute force attacks and every IP except one is a new entrant onto the top 25 list.
The highest spot they achieved was 25 in January for a single IP but now they are up to 9 IPs attacking and have hit the number 7 spot on the top 25 list.
Another provider HostKey.com with the AS number 57043 from the Netherlands, according to the WordPress Attack Report, generated 17.53 million attacks from 6 IPs during February.
“As is the case above, HostKey may be leasing servers to a customer that is not securing them and who has inadvertently created an attack platform. HostKey appeared on our top 25 list for the first time with 3 IP addresses at positions 8, 9 and 12 respectively. They have now expanded to 6 IP addresses on the list and have generated a total of 17.53 million attacks across the sites we protect for February,” the WordPress Report says.
Furthermore, the report noted an exclusive behaviour by a particular IP address 220.227.234.129 belonging to Reliance Communications based in Hyderabad, India.
This IP is said to be attacking a large number of websites that no other IP in the top 25 is attacking and it is the only IP among the top25 that is based in India.
“One possible theory to explain the completely independent behaviour of this IP is that it is targeting Indian websites. The attacker may also have a unique way of locating target websites that no other IP in our top 25 used,” WordPress says.
The attacks were broken by WordPress into brute force and complex attacks. Brute force attacks as explained by WordPress are login guessing attacks while ‘complex’ attacks are attacks that were blocked by a rule in the WordFence firewall.
WordPress says it experienced a huge spike in brute force attack activity this February starting at approximately February 20th and sustaining until the end of the month.
“As a reminder, these are simply login guessing attacks. Wordfence blocked an average of 30 million brute force attacks per day across the websites that we protect in February. This is an increase from the 26 million attacks per day average we saw in January”, WordPress says.
Notably, while brute force attacks were up significantly in February, complex attacks on WordPress sites dropped from 4.6 million per day average in January to only 3.3 million per day, the report says.