Significant Threat
IP 104.244.74.96 is a high-risk address originating from Luxembourg that has been implicated in 215 reported incidents over approximately two months, with activity intensity rated at 8 out of 10 and a dominant pattern of WordPress authentication abuse. The address operates under ASN AS53667 belonging to provider PONYNET, and automated honeypot sensors together with 20 separate community sources flagged this IP across multiple threat categories between January and February 2026.
The report volume and diversity of attack vectors paint a concerning picture of sustained hostile reconnaissance. Of the logged threat categories, WordPress login brute-force attempts and general brute-force attacks each account for 17 reports, while unauthorized WordPress cron execution generated 13 reports and distributed denial-of-service activity contributed another 13. The attack-pattern notes extracted from honeypot sensor logs show repeated systematic attempts against WordPress authentication endpoints, specifically targeting the root URI and triggering cron abuse mechanisms. The 56% confidence score reflects the diverse nature of observed behaviors, though the sheer volume of reports from multiple independent sources lends strong evidentiary weight to the assessment.
Brute-force attacks against web application login portals represent a well-documented intrusion vector that exploits weak or predictable credentials to gain unauthorized backend access. When combined with WordPress cron abuse, attackers can schedule malicious tasks or harvest server resources without triggering standard access logs. The presence of DDoS activity in the report mix suggests this IP may participate in coordinated botnet operations or serve as part of a broader attack infrastructure. For operators running WordPress instances or publicly accessible authentication forms, these combined techniques can lead to account compromise, data exfiltration, or resource exhaustion.
Defensive measures should prioritize immediate blocking of this IP at the network perimeter firewall or through web application firewall rules, particularly given the sustained activity window. Operators should verify that WordPress sites enforce strong password policies and consider implementing multi-factor authentication on all admin accounts. Rate-limiting authentication endpoints and employing automated threat detection tools such as fail2ban can disrupt brute-force patterns before they succeed. Finally, auditing cron job configurations to restrict unauthorized execution and monitoring access logs for the identified patterns will reduce exposure to the abuse techniques observed from this source.
US 
CH 
RO 
PA 
VN