Researchers have seen a rise in attacks on WordPress websites, with more than a quarter coming from Amazon Web Services’ EC2 cloud computing instances (AWS).
Experts in WordPress security Around 5,000 of the 77,000 IP addresses that have sent out malicious login attempts on WordPress installations have come from EC2 instances, according to Wordfence.
Most of the IP addresses used by the attackers only started demonstrating malicious behaviour last week, according to Wordfence’s QA engineer and threat analyst Ram Gall, after which they were put to their blocklist.
“While AWS makes it easy for businesses to move to the cloud, attackers are also utilizing the scale provided by cloud services, including AWS, in increasing numbers,” said Gall.
IPs Owned by Mercenaries
Since November 17, 2021, Gall has shared a list of 40 IP addresses that have each made over one million illicit login attempts. Surprisingly, these IPs have been blocked by Wordfence for almost a year.
The durability of these IPs, according to Gall, may indicate that attackers have paid for them. On the basis of this premise, he claims that it’s past time for websites to ensure they have the appropriate mitigations in place, “because it’s never been easier to attack millions of sites at once at a low cost.”
He cites data breaches like the recent GoDaddy hack, which provide attackers with a large number of leaked credentials, which they then use to try to access even more sites and services. Credentials gained from breaches enable attackers to break into more websites, sometimes on the first attempt, thanks to the propensity of reusing passwords.
Gall advises users to use two-factor authentication (2FA), which he describes as an “incredibly effective” technique of securing websites even if an attacker has access to your login information.