High Risk
IP 88.198.64.173 is a high-risk address operated by Hetzner Online GmbH in Germany that has generated 174 abuse reports between April and May 2026, with automated honeypot sensors flagging it primarily for WordPress login brute-force attacks, XML-RPC abuse, and general hacking activity against web applications. The confidence score of 100 percent across 20 distinct report sources, combined with a threat level of 8 out of 10 and an activity frequency rating of 8 out of 10, indicates sustained and aggressive malicious behavior over a compressed timeframe.
The reporting data shows a clear pattern of automated attacks targeting WordPress installations specifically. The category breakdown reveals 14 reports for WP login brute force, 11 for general hacking activity, 5 for brute-force attacks, and 4 each for port scanning and WP XML-RPC brute force, with isolated reports of DDoS activity and suspicious bot behavior. Fail2ban logs referenced in the sanitized pattern data confirm multiple recidivist offenders, with individual source addresses accumulating over 50 violations within the wordpress-escalation jail alone. The attacks include credential stuffing attempts using common administrative usernames, path scanning and probing of WordPress system files, and suspicious POST requests to administrative endpoints. The presence of an extremely outdated user agent (Internet Explorer 7 or older) further suggests automated tooling rather than legitimate human traffic.
The dominant threat category—WordPress brute-force attacks—poses a concrete risk to any publicly accessible WordPress installation. These attacks systematically attempt common credential combinations against login pages and XML-RPC interfaces, exploiting the fact that many administrators still use weak or default usernames and passwords. Successful compromise grants attackers administrative access to the CMS, enabling malicious plugin installation, data exfiltration, or further lateral movement within the hosting environment. The recidivist behavior observed indicates that this IP has repeatedly triggered defensive measures yet continues probing from the same infrastructure, suggesting either automated retooling or deliberate persistence.
Site operators running WordPress should immediately ensure that administrative access is protected with multi-factor authentication and that common administrative usernames such as the one detected are not in use. Implementing fail2ban or equivalent intrusion-prevention rules to automatically block repeated login failures against WordPress endpoints will significantly reduce exposure. Rate limiting on both XML-RPC and wp-login.php endpoints, disabling XML-RPC entirely if unused, and enforcing strong password policies across all CMS accounts are effective defensive measures. Continuous monitoring of authentication logs for patterns matching the observed credential stuffing signatures will help identify any successful breaches before substantial damage occurs.
FI 
LK 
BG 
AU 
LT 
JP 
VN