WordPress under siege: 37,288 attacks logged on a single weekend
The May 23–24 weekend was the loudest 48 hours we’ve seen in the network so far. Member sites pushed 37,288 attack reports through the ReportedIP API, tied to 15,066 unique attacker IPs. More than a quarter of those reports — 10,078 — came from WordPress sites running the Hive plugin.
If you run public WordPress and you are not behind a reputation-driven block, the average week now contains a full weekend of background fire. This is what the community fed us over those two days, what the patterns look like, and what we shipped on top.
What the weekend looked like
Three vectors, one infrastructure
The three biggest attack categories on Saturday and Sunday were Hacking attempts (23,019 reports), Brute-Force login pressure (10,215), and SSH plus WordPress combo runs (3,889). The total adds up to more than the unique-IP count because the same attacker IPs hit multiple categories on the same site within minutes — a single host runs a brute-force pass, fails, then immediately probes wp-config.php.bak and /.env on the same target.
This is the network effect that makes community reputation work: an IP that hammers Site A’s login form at 14:02 UTC is already on Site B’s deny list at 14:03 UTC, before it ever touches Site B. Over the weekend the average attacker IP showed up in 2.5 of the 9 threat categories tracked by the API — they aren’t single-purpose bots, they are full toolkits.
Origin: four countries account for 18,254 IPs
The geographic concentration over the weekend was unusually narrow. Four origin countries produced 18,254 of the unique attacker IPs we tracked:
- United States: 10,920 IPs — mostly hosting providers and cloud ranges, not residential.
- India: 3,038 IPs — broad mix of telco ASNs and small VPS providers.
- Pakistan: 2,281 IPs — concentrated in three large ISPs.
- Netherlands: 2,015 IPs — almost exclusively bulletproof and budget hosting.
Country-level blocking is a blunt instrument and we don’t recommend it as a default. But if you are seeing repeated probes from one of these four origins and you have no business reason to accept traffic from them, the cost-benefit math tips fast.
WordPress is still the primary target
10,078 of the 37,288 reports — 27% — came from WordPress sites running ReportedIP Hive. Those sites collectively block more than 600 distinct attack patterns each day; on the weekend that number climbed to 1,100+ patterns per site. Customers with Hive’s Hardening Mode enabled saw the new 2-hour rolling lookback kick in twice on Saturday and once on Sunday, each time as a coordinated wave hit a cohort of 20–50 sites in the same 60-second window.
We also got the usual handful of phone calls on Monday morning from customers whose sites weren’t protected and got compromised: a defaced homepage, a WP-Admin user named admin-backup they never created, or a plugin folder full of obfuscated PHP files. None of it is exotic, all of it is preventable.
What Hive did about it
Two things shipped in the days following the weekend, both directly informed by what the community pushed through the API:
- Hive 2.0.15 (released May 21): multi-recipient admin notifications no longer get silently dropped by the relay, Hardening Mode stops re-activating against the same attack pattern every hour, and the relay 429 backoff is now respected client-side. Full release notes →
- 40-path decoy surface: any request for
wp-config.php.bak,.env.production.bak,configuration.php.bak, common SQL dumps at the webroot,.aws/credentials,.ssh/id_rsa, or any of the 33 other bait files is now a high-confidence attacker signal — and that signal feeds the community reputation database when Hive runs in Community Network mode.
Get protected
If you run a public WordPress site, the cheapest meaningful thing you can do this week is to install Hive in Community Network mode. It costs nothing, it cuts brute-force load by an order of magnitude, and every block you log makes the network faster for the next site.
- Get ReportedIP Hive → Full edition with 12 sensors, 4-method 2FA, and Hardening Mode.
- Run a honeypot → Sit a decoy server in front of the internet and contribute high-confidence threat intelligence to the network.
- API reference → Use the reputation API directly if you run your own WAF stack.
The weekend wave is already in the rear-view mirror. The next one is on its way. Reports keep arriving — the counter is rolling as you read this.