The March 2017 WordPress Attack Report

The March 2017 WordPress Attack Report

We came across this very interesting article on the WordFence website, in their blog section illustrating the amount of hacking attempts on WordPress websites over the past number of months.

The blog entry was posted in Monthly Attack Activity Report, WordPress Security on April 6, 2017 by Mark Maunder

“Today we are releasing the WordPress Attack Report for March, 2017. You can also find the following previous attack reports on our blog: December 2016, January 2017 and February 2017.

This report contains the top 25 attacking IPs for the month of March and their details. It also includes charts of brute force attack activity and complex attack activity for the period. We also include the top themes and plugins that were attacked and which countries generated the most attacks for the period.

One of the more surprising data points in this report is the rise of Algeria as a source of attacks. After creating this report we dug a little deeper and will be releasing our additional findings regarding Algeria next week.

The Top 25 Attacking IPs

I’m including our usual explanation of how the table below works. If you’re familiar with our attack reports, you can skip down to the table below which contains the March data and read my comments that follow the table.

Brief introduction if you’re new to viewing these reports

In the table below we have listed the most active attack IPs for March 2017. Note that the ‘Attacks’ column is in millions and is the total of all attacks that originated from each IP. Further right in the table (you may have to scroll right) we break out the attacks into ‘brute force’ attacks and ‘complex’ attacks.

Brute force attacks are login guessing attacks. What we refer to as ‘complex’ attacks are attacks that were blocked by a rule in the Wordfence firewall.

We have also included the netblock owner, which is the organization, usually a company, that owns the block of IP addresses that the attack IP belongs to. You can Google the name of the owner for more information. A Google search for any of these IP addresses frequently shows reports of attacks.

The hostname included is the PTR record (reverse DNS record) that the IP address owner created for their IP, so this is not reliable data but we include it for interest. For example, we have seen PTR records that claim the IP is a Tor exit node, but it is clearly not, based on traffic.

We also include the country and a country flag. To the far right of the report we show the date in March when we started logging attacks and the date attacks stopped. For many of these IPs we logged attacks for the entire month. For some you can see there is a clearly defined attack ‘window’ where the IP started and stopped.

The Top Attacking IPs

Our top two attacking IPs are in Russia and Ukraine respectively. Both of them are only launching complex attacks on WordPress. Our top IP has doubled its attacks from 7 million to 15 million attacks. Our second place IP went from 7 million to 12 million attacks per month.

The total number of complex attacks from the top 25 IPs went from 63 million in February to 85 million in March. The total brute force attacks from the top 25 IPs increased from 18 million in February to 32 million in March. This indicates an increase in how aggressively these top 25 IPs are attacking sites.

If we cluster the top 25 attacking IPs by country, it becomes apparent that Ukraine is by far the top source for attacks. We also have a surprisingly large number of top attacking IPs from Turkey in March.

Brute Force Attacks on WordPress in March 2017

The chart below shows the brute force attack activity on WordPress sites that we monitor for the month of March.

We saw a slight increase in the average daily attacks from 30 million in February to 34 million in March. Not a big change, so in general the attack frequency and activity is fairly steady. In February we saw a huge sustained spike in activity towards the end of the month. We did not see that in March for brute force attacks.

Complex Attacks on WordPress in March 2017

The graph below shows complex attacks (attacks that try to exploit a vulnerability) for the month of March 2017.

The average daily attacks increased from 3.4 million in February to 3.8 in March. In February the attack graph was fairly constant throughout the month. March saw a huge spike early in the month which quickly subsided.

Once the spike subsided, we saw a sustained period of relative calm with only 3 million attacks per day and then a gradual pick-up later in the month.

Attacks on Themes in March 2017

The table below shows the total number of attacks on WordPress themes. We identify each theme using it’s ‘slug’ which is the directory in which it is installed in WordPress.

There is some movement in the rankings, but for the most part the same themes are being targeted.

One interesting change we noted is that for the month of March, the attacks are more spread out. Below we generate a graph showing the “long tail” of attacks on themes. We have created a distribution from left to right of the most attacked themes to the least attacked. It creates a curve which is commonly known as a “long tail” among statisticians.

As you can see, for the month of March, the long-tail flattens out because we are seeing attacks more evenly distributed across themes, rather than focusing on a smaller number of frequently attacked themes.

Attacks on Plugins in March 2017

The table below shows the attacks we saw on plugins across the sites Wordfence protects. As with themes, we identify each plugin by its unique ‘slug’ which is the unique installation directory where the plugin is installed.

The list of plugins being targeted has had some shuffling around, but as you can see, all plugins in the list are well known targets of attack that are generally in the top 50 attacked plugins for WordPress.

If we look at the long-tail distribution for plugins we can see that the attack distribution has not changed much and is still roughly the same as February.

Attacks by Country for March 2017

The table below shows the top 25 countries that attacks originated from in the month of March on WordPress sites that we monitor. The most surprising thing in this list is the sudden appearance of Algeria as an attack source. In our previous report, Algeria was ranked way down at 60 for total attacks.

We will be posting a follow-up post which explains why Algeria has suddenly jumped in the country rankings. We dug a little deeper and found some very interesting data that we will be including in a report which we expect to release next week.


I hope you’ve enjoyed this overview of the WordPress attack landscape. If you are in the threat intelligence field, I encourage you to grab this data and incorporate it into your own analysis. I know some of you already have and have shared your findings with us privately and I very much appreciate that.

We will be publishing a follow-up to this report describing why Algeria has risen in the attack ranks some time next week.”

Credit: Mark Maunder WordFence Security


2017-12-12T18:02:28+00:00 April 7th, 2017|