Notable Threat
IP 91.92.242.226 is a high-risk address operating from the Netherlands via AS214943 (Railnet LLC), classified at threat level 7/10 with a concerning 944 total abuse reports, predominantly involving WordPress-focused reconnaissance and exploitation attempts alongside distributed denial-of-service indicators. The IP has accumulated community-sourced reports across ten distinct threat categories, with WordPress REST API abuse and user enumeration together accounting for the largest share of recent detections. Despite the high report volume, a notably low confidence score of 9 percent suggests some uncertainty in attribution, while an activity frequency rating of 0/10 indicates the most recent automated sensor activity may have subsided since the January 2026 reporting window. The concentration of attacks against WordPress infrastructure suggests the operator behind this address is systematically probing publicly accessible sites for exploitable configurations and vulnerable installations.
The detection data reveals a persistent, multi-vector assault pattern targeting WordPress-powered web servers. Community reports document repeated attempts to abuse the WordPress REST API endpoint, specifically querying /wp-json/wp/v2/users to enumerate valid user accounts, combined with requests to author-lookup parameters such as /?author=1, which serves the same reconnaissance purpose through a different code path. Concurrent activity includes unauthorized cron execution attempts and scanning for configuration files, suggesting preparation for deeper compromise or credential harvesting. The reported DDoS indicators, combined with observed resource exhaustion signatures consuming up to 108MB memory per request and generating 79 to 109 database queries per operation, demonstrate an address capable of applying meaningful load against vulnerable targets. All reported activity originated from Dutch network infrastructure during the January 2026 period.
WordPress REST API abuse represents one of the most efficient reconnaissance techniques available to attackers, allowing automated enumeration of usernames and site structure without triggering conventional brute-force lockout mechanisms that govern the standard login endpoint. The /?author=1 parameter technique achieves identical results by exploiting how WordPress handles author archive queries. Combined with high-volume request patterns that strain server resources, this IP poses a concrete threat to any publicly exposed WordPress installation lacking proper access controls, API authentication requirements, or request throttling. The resource exhaustion data indicates this address actively attempts to degrade server performance, potentially as a precursor to service disruption or as a method to evade security monitoring through noise generation.
US 
BG 
VN 
IT 
SE 
PH 
IL 
ES