Wordfence spots Amazon EC2 used to attack WordPress sites

Mark Maunder, CEO Wordfence / Feedjit Inc
Mark Maunder, CEO Wordfence / Feedjit Inc

Wordfence is a security plugin for WordPress deployed on 1 million active WordPress websites. Mark Maunder, CEO, Wordfence has published a blog looking at the two most popular brute force attacks on WordPress sites. The first attempts to connect via the website using the standard wp-login.php page. The second uses XMLPRC which is how mobile apps authenticate to a site.

Both are common attacks that seek to gain authenticated access to a website. Once in, attackers then take over a site using it to distribute malware and enrol it into a botnet. These are often successful attacks especially with large numbers of unmanaged and abandoned WordPress sites on the Internet.

All attacks are created equal

Wordfence monitored all incidents of the two types of attack during a two week period in January 2017. It saw over 200 million attempts to gain authorised access to WordPress sites on which it is installed. Of those 106 million attacks tried wp-login and 108 million attacks tried XMLRPC. The data also shows that over 75% of attacks used both methods.

According to Maunder: “This result surprised me because I assumed that attackers targeting XMLRPC would be more sophisticated or perhaps creative. But on reflection it takes about the same amount of effort to write an attack script or bot that brute force attacks either target. So this makes sense.”

Regional differences in attack methods

There is a surprise in the data when it comes to regions and attack types. Russia, USA and Ukraine were the top three attacking countries. This is not surprising as other security companies regularly have them in their top positions. The surprise is who uses which type of attack. Attack from the USA are predominately focused on XMLRPC. Attackers from Russia and Ukraine prefer to target wp-login.

This is where Maunder’s data gets interesting. Wordfence looked deeper into the data from the USA. Maunder says: “…the majority of the total number of attacks originating in the USA come from Amazon.com which provides cloud computing services to developers. We saw a total of over 144 million attacks over two weeks originate from Amazon.”

This is not the first attack to use a cloud computing platform. Two weeks ago Forcepoint Security Labs reported that the group behind the Carbanak malware was using Google services for its command and control.

There have been other instances of cloud being used to launch attacks. According to UK analyst firm Creative Intellect Consulting: “The use of cloud computing to launch cyber attacks is a given. Rather than use a botnet where IP address could be blacklisted, they can be sure that the IP addresses used by cloud companies will not be blocked. Cloud also scales and scales very quickly.

“This enables large attacks to be instantiated within minutes. In addition, using the multiple locations provided by cloud companies they can rotate their attacks to be local to their target. Cloud is also a very inexpensive platform. We’ve already seen evidence of hackers exploiting the window between credit card theft and cards being blocked to buy access to cloud resources.”

Has Amazon been hacked?

Maunder says that all the attacks from Amazon came from just 36 unique IP addresses. Wordfence reverse engineered the IP addresses and discovered that all but 3 of the IP addresses appear to be EC2 instances. He offers up three different theories for this:

  1. 36 servers at Amazon EC2 have been compromised and they have been used to launch a very rapid and wide-spread brute force attack during the past 2 weeks. That attack generated over 144 million failed login attempts across the sites we monitor.
  2. A developer may be using EC2 to host an application that is trying to sign into WordPress websites using XMLRPC. The application may not handle bad user credentials correctly and may just keep retrying.
  3. It may be a combination of both bad applications hosted at EC2 and compromised servers engaging in a large scale brute force attack.


It doesn’t matter how people login to your WordPress site, you need to be aware of the risks. The first question all sites owners need to ask is “do people need to log on?” If the answer is yes, ask “why do they need to log on.” It may be that you only allow comments or content from authenticated users. If so then it is important to beef up and regularly check site security and access logs.

In the UK we have seen ISPs warning WordPress users of repeated attempts to get into their sites. These attacks also affect other sites at the ISP. If users do not act then it is likely that ISPs may simply take their site down. This is a reasonable response if the site is a security risk. It is also within the service conditions that most ISPs issue.

Maunder, of course, would prefer you purchased Wordfence. It is not the only solution on the market but irrespective of what you choose you need to protect your site.


Please enter your comment!
Please enter your name here