Wordfence warns against a massive brute-force attack campaign

On the 18th of December Wordfence posted the following entry describing an ongoing distributed brute force-attack campaign targeting WordPress installations. It was accompanied by a dramatic chart highlighting the number of attacks per hour. According to Wordfence, it was the most aggressive campaign they’ve seen so far. However, as a WordPress hosting provider I’ve found no data to support these claims.

I’ve not experienced any increase in dictionary attacks or other malicious traffic against WordPress installations on our web hosting platform. Curiously enough, this would mark the first time that we have completely dodged such a large scale attack.

I’m a bit skeptical about this report from Wordfence, not solely because the entry reads as a (very) long advertising campaign for their premium services, but also due to the complete lack of details regarding the characteristics of the attack. Sure, it’s entirely possible that the attack was targeting specific TLDs/countries, but Wordfence doesn’t want to share any information about the IP addresses involved in the attack. Apparently their expenses associated with harvesting data from client installations are just too high to justify handing it out for free.

I might add that I also find it somewhat amusing that they ran with a similar story around this time last year titled “Huge Increase in Brute Force Attacks in December and What to Do” (try guessing the what to do part). But hey, it’s the end of the year and we all have to make ends meet.

I’m sorry to play the Grinch, but until I see some hard evidence I’m tempted to label this attack as either a dud, or as an exaggerated marketing campaign. Anyhow, that’s just my personal opinion given without claim to correctness or completeness, spend your money wherever you want.