From Russia With Love: The Leader in WP Attacks from the Start of 2017

Brute force and complex attacks from a few IPs have been ravaging the internet for the past four months, according to the monthly published Wordfence Attack Reports.

The latest of those reports, published a couple of days ago, shows that the frequency of the attacks coming from Ukraine and Russia abates. But it’s still interesting that a great number of attacks, brute force or complex (that is, attacks on specific plugins, themes or other elements), comes from just a couple of IP blocks.

Namely, the IP address 193.201.224.205 from Ukraine has performed 31.8 million complex attacks in December, 20.2 million attacks in January, 7.35 in February, whereas in March it doubled the number again, but nevertheless fell to #2 on the top list, with “only” 12.63 million attacks.

Another prolific attacker has been attacking from the Russian IP 185.159.36.6. In December it scored 12.4 million attacks, in January 7.0 million, a little bit more (7.28) in February, and last month it became #1 with 15.86 million attacks, all of which were complex.

Four months ago Ukraine was the world leader in WordPress attacks with 13 out of 25 top rated IPs. January 2017 saw the rise of Russia to #1 with a total of 175.7 million attacks, followed by Ukraine (111.1 million), US (79.4) and France (52.4). Russian hackers held the trophy in February and March, with US breathing down their necks.

The high positioning of Ukraine on the map of world’s most agile WordPress attackers was explained by Wordfence’s founder and CEO Mark Mauder, who found out that the companies owning the malicious IPs are actually operating in the eastern parts of the country, which are currently occupied and controlled by Russia. This wasn’t to accuse any of the countries involved (notwithstanding what many commentators of the article believed), nor to hint at the complex and often unfathomable ties between politics and cybercriminal. The companies were simply based there.

The choice of themes and plugins that were targeted by complex attacks was more or less consistent in the past four months. mTheme-Unus was by far the most attacked theme, followed by churchope, infocus, lote27, elegance, awake, echelon, authentic and dejavu.

Plugins that were aimed for exploiting were wp-ecommerce-shop-styling, wp-symposium, candidate-application-form, recent-backups, google-mp3-audio-player etc.