High Risk
IP 103.216.117.42 is a high-risk address operating from Vietnamese telecommunications infrastructure that has generated 191 abuse reports in automated honeypot sensors over a concentrated two-month period, with a threat level of 8/10 and 99% confidence — the overwhelming majority of activity targets WordPress installations through systematic brute-force, credential stuffing, and XML-RPC exploitation attempts.
The address, allocated to AS135905 under VIETNAM POSTS AND TELECOMMUNICATIONS GROUP, was first flagged in April 2026 and most recently in May 2026, with an activity frequency rated 8/10. Across 20 distinct honeypot sensor sources, the reported threat categories break down as: Hacking (18 reports), WP Login Brute Force (11), Brute-Force (10), Port Scan (9), and WP XML-RPC Brute Force (9). Internal fail2ban telemetry alone recorded 103 WordPress-specific violations attributed to this address, confirming sustained, repeated engagement with WordPress login and administrative endpoints rather than opportunistic mass scanning.
The dominant attack pattern reveals an automated campaign specifically engineered against WordPress sites: authentication brute-force attempts against root endpoints using common administrative credentials, XML-RPC method abuse for authentication relay and multi-authentication attempts, and web-path probing to enumerate WordPress system files. This combination is a textbook automated compromise vector targeting self-hosted WordPress deployments that have not hardened their authentication layer or disabled XML-RPC. The credential stuffing component — using credentials such as standard admin account names — indicates the actor is leveraging known default credentials rather than targeting unique user bases.
Operators exposing WordPress or similar web-application authentication to this address should implement immediate blocking or rate-limiting at the network edge, configure fail2ban to monitor and ban repeated WordPress login failures, and enforce multi-factor authentication on all administrative accounts to neutralise credential-based attempts. Disabling unused XML-RPC functionality and restricting access to wp-login.php through IP allowlisting or geofencing are additional hardening steps that directly address the observed attack surface.
ES 
NP 
KR 
ET 
GB 
FR