High Risk
IP 159.100.13.237 is a high-risk address operating from Germany (AS214036, Ultahost Inc.) with a threat level of 8/10 and near-certain confidence, originating 169 abuse reports across automated honeypot sensors and community submissions between April and May 2026. The dominant threat profile centres on WordPress-targeted credential attacks, with hacking activity, WP login brute forcing, XML-RPC abuse and port scanning detected at high frequency.
Detection data reveals a persistent, multi-vector assault campaign against web infrastructure. Of the 169 total reports, the most frequent categories include general hacking attempts (14 reports), WordPress login brute-force attacks (11), and WordPress XML-RPC exploitation (6), alongside brute-force activity (5), port scanning reconnaissance (6), and distributed denial-of-service attempts (3). The activity frequency rating of 8/10 indicates sustained offensive operations over the two-month reporting window. Fail2ban escalation logs confirm repeated WordPress attack patterns, including multi-jail offenders triggering recidive blocks after accumulating violations exceeding 50 entries per jail. Path-scanning probes targeting WordPress system files and credential stuffing against authentication endpoints were also observed across honeypot sensors.
WordPress brute-force and XML-RPC attacks exploit authentication weaknesses in widely deployed content management systems. Attackers leverage credential stuffing and raw brute-force attempts to compromise administrator accounts, enabling data theft, malware deployment or further network penetration. Port scanning activity precedes such attacks by mapping exposed services, allowing adversaries to prioritise vulnerable entry points. When successful, these intrusions can result in site defacement, backdoor installation, spam distribution or use of compromised servers in larger botnets. The combination of multiple simultaneous vectors against a single infrastructure suggests an automated, coordinated campaign rather than opportunistic scanning.
Site operators should implement immediate defensive controls: enforce strong, unique passwords and disable XML-RPC if unused; apply rate-limiting rules and account lockout thresholds to frustrate automated authentication attempts; and deploy tools such as fail2ban or equivalent intrusion-prevention systems tuned to WordPress attack signatures. Firewall rules should block or throttle traffic from known suspicious sources, and exposed services should be minimised through network segmentation. Continuous monitoring of authentication logs and integration of IP reputation feeds will further reduce exposure to credential-based threats from addresses such as 159.100.13.237.
LK 
BG 
AU 
LT 
JP 
VN