Elevated Risk
IP 121.200.217.27 is a high-risk address originating from Vietnam (AS154247, MCO HA NOI TECHNOLOGY COMPANY LIMITED) that is actively conducting automated WordPress-focused attacks, primarily brute-force credential stuffing against administrative login portals and reconnaissance probes targeting WordPress REST APIs and user enumeration endpoints. With 169 total reports across 20 sources (19 automated honeypot sensors and 1 community report) and a threat level of 8/10, this IP represents a persistent, multi-vector intrusion campaign that was first detected in April 2026 and remains active through May 2026.
The detection data reveals a concentrated focus on WordPress infrastructure. Automated honeypot sensors logged repeated attempts to access administrative login pages using common credential combinations (notably the "admin" username), alongside systematic probing of WordPress REST API endpoints for version fingerprinting and plugin enumeration. The attack pattern shows escalation behavior, with fail2ban records indicating the IP triggered both standard wordpress and escalation jails on multiple occasions, accumulating over 50 violations on the escalation jail alone. The recidive classification confirms this address repeatedly violated blocks across separate detection events, demonstrating determined persistence rather than opportunistic scanning. The combination of credential stuffing, user enumeration via /wp-json/wp/v2/users, and targeted plugin scanning indicates a structured WordPress compromise toolkit in operation.
WordPress brute-force and credential stuffing attacks pose a direct threat to website administrative access, potentially granting attackers full server control, malware injection capabilities, or data exfiltration if weak or default credentials are present. The user enumeration and version fingerprinting phases serve as reconnaissance that enables the attacker to tailor subsequent exploitation attempts to specific vulnerable plugins or WordPress versions. The DDoS report, while a single occurrence, suggests the IP may participate in broader attack infrastructure or conduct multi-purpose hostile activity.
Site operators running WordPress should block this IP at the firewall or web application firewall level immediately. Enforce strong, unique passwords and implement multi-factor authentication on all administrative accounts to render credential stuffing ineffective even if credentials are compromised. Deploy fail2ban or equivalent intrusion prevention tools configured with strict wordpress-specific jails and lower thresholds for recidive offenders to auto-block repeated attacks. Regularly audit WordPress installations for outdated plugins and themes, restrict access to the REST API endpoint /wp-json/wp/v2/users on public-facing sites, and consider limiting login page access to trusted IP ranges or requiring VPN authentication for administrative tasks.
ES 
NP 
KR 
ET 
GB 
FR