Over the past week, attacks originating from AWS EC2 instances against WordPress sites have increased by a factor of 5 \t The Wordfence Threat Intelligence team has been tracking a huge increase in malicious login attempts against WordPress sites in our network. Since November 17, 2021, the number of attacks targeting login pages has doubled. We\u2019ve seen a global increase in attacks against WordPress sites during the past week, and more than a quarter of all of the malicious login attempts we\u2019re tracking are now originating from AWS EC2 instances, as shown in the chart below: \t More than 77,000 IP addresses in this IP space have sent out malicious login attempts since November 17, 2021, but the vast majority of attacks are originating from roughly 5,000 EC2 instances. Most of these IP addresses have only started attacking enough sites to be added to our blocklist in the last week. The following 40 IP addresses, however, have been on the Wordfence blocklist since the end of 2020 and have each sent out over 1 Million malicious login attempts since November 17, 2021: 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 While AWS makes it easy for businesses to move to the cloud, attackers are also utilizing the scale provided by cloud services, including AWS, in increasing numbers. As IPs that are no longer sending out attacks are removed from our blocklist, the persistence of these IPs may also indicate that attackers are paying for services in addition to relying on compromised sites. As such, it is important to have mitigations in place to protect your site, since it has never been easier to inexpensively attack millions of sites at once. Stop Login Attempts Before They Happen Wordfence Premium customers are protected by our IP blocklist. IP addresses that have recently attacked other WordPress sites are quickly added to our blocklist and are blocked from accessing sites protected by Wordfence Premium. The size of this blocklist ranges from 25,000 to 60,000 IP addresses. All Wordfence users, including sites using Wordfence Free, receive best-in-class protection against malicious login attempts. Attacking IPs are automatically blocked from a site after a user-configurable number of unsuccessful login attempts. Many site owners still reuse the same password in multiple locations, and data breaches, such as the recent GoDaddy breach, are frequently a source of compromised passwords. These compromised passwords are used by attackers to attempt to login to even more sites and services. Using this technique, attackers may guess your login correctly on the first try. We also recommend that everyone use 2-factor authentication wherever possible, as it is an incredibly effective way of protecting your site even if an attacker has your password. The free version of Wordfence includes 2-factor authentication as a feature. Hacked Site? Wordfence offers Site Cleanings with a Wordfence Premium license and a full 1-year guarantee. Click Here! \t Defiant, Inc., 1700 Westlake Ave N STE 200, Seattle, WA 98109, United States Manage preferences You're receiving this email because you signed up to the Wordfence WordPress security mailing list.