A new threat on an unprecedented scale is shaking up the web: 2.8 million network devices compromised are currently being used to flood the Internet with malicious requests.
At LRob, asweb hostWe've seen a dramatic increase in attacks over the past few days. We'll explain how we're effectively blocking them.
These attacks are not just a nuisance: they can seriously impact the performance and security of your websites. How does the attack work? What impact does it have on your websites? How can you protect yourself? Here are the answers.
Details of the cyber attack
Discovery of the cybersecurity attack
As indicated by Cyber Security News in its articlea massive brute-force attack (testing all passwords) began by targeting VPN and firewall connections, using 2.8 million IP addresses. A sort of bruteforce crossed with giant DDoS (Distributed Denial of Service).
First detected in January 2025 by the Shadowserver Foundation, this campaign targets security devices at the edge, such as VPNs, firewalls and routers from vendors like Palo Alto Networks, Ivanti and SonicWall.
Cybercriminals are using residential proxy networks and compromised devices, including MikroTik, Huawei and Cisco routers, to carry out these attacks. More than 1.1 million of the IP addresses involved originate from Brazil. Followed by Turkey, Russia, Argentina, Morocco, Mexico and other countries such as Ireland, according to some observations.
Together, they form a growing botnet, capable of carrying out a variety of attacks. And we can confirm that this is starting to show on the web hosting side, with attacks on the rise over the past few days. It could be that many new devices have been compromised.
Official cybersecurity organizations react
Faced with this growing threat, international cybersecurity agencies (CISA, NCSC, etc.) are recommending that manufacturers improve the default security of their devices, and that companies reinforce the protection of their network accesses. The use of multi-factor authentication (MFA), regular system updates and network segmentation are essential to reduce risks. Shadowserver warns that these attacks are likely to continue, affecting other providers and regions.
Propagation to web hosts - LRob observations
At LRob, we've seen an increase in illegitimate requests since the start of 2025, followed by a drastic jump since February 8.
On February 11, the record was set with +500% of attackers blocked compared with the usual average.
Paradoxically, in this International Safer Internet Dayorganized in France by Internet Sans Crainte.
A colleague confirms a simultaneous increase in the number of attacks received on his machines. I'm also checking with other hosting companies to see if they too are seeing an increase in attacks.
In gross figures, we exceeded 10,000 attackers blocked Tuesday, February 11, 2025, i.e. 5x the average value.
Concerning the server load average server CPU usage increased by around 6%, from 14 to 20%. If this leaves us with 80% of leeway, it's already enough for us to react (see below).
Origin of attacks
As far as we're concerned, attacks come from all over the world, and we haven't kept precise statistics on where they come from, as this requires considerable logistics for little added value. Our priority is to block as many attacks as possible.
What's more, the attacks come from a wide variety of sources, ranging from home IPs to datacenter IPs. This suggests that we're dealing with a huge botnet.
In terms of geographical origin, we can say with a pinch of salt that the attacks seem to be coming from all over the world, with China potentially in the lead (nothing unusual, then...).
But we're also seeing attacks from Singapore, Brazil, India, Vietnam, Kazakhstan, Spain, Finland, Japan, Korea, Hong Kong, Thailand, Canada, USA, Georgia, France, Italy, UK, Bangladesh, Romania, Philippines...
In short, nothing stands out at first glance, with attacks coming from everywhere, as usual.
For a direct overview, see LRob reports on AbuseIPDB.
Correlation is not causation - Some reservations
Admittedly, it's impossible to make a definite link between the current global attack and this increase in attacks on web servers and WordPress LRob sites. Indeed, despite the confirmation of a colleague, the sample is not sufficient to conclude with certainty.
However, the correlation remains striking, and it doesn't seem far-fetched to think that the two are linked. To go further, we'll need to consult with other colleagues to ascertain whether or not the attacks are widespread.
WordPress hosting & attacks: what are the consequences?
Administrators, web agencies and owners of WordPress sites should ask themselves:
" my WordPress hosting ready for this wave of attacks?"
Whether for the current attack or for future ones, if your web host does not block these attacksyou could quickly suffer the consequences:
- Slowness : parasite requests slow down your site
- Inaccessibility : total server saturation can prevent your site from responding at all
- Intrusions a successful attack can compromise your data and those of your customers
- SEO degradation if just one of the above points occurs, it can severely damage your search engine optimization.
How to protect your WordPress hosting? LRob method.
LRob already provides automatic blocking of attackers directly at server level. This drastically reduces server load, improves performance and dramatically reduces risk compared to conventional hosting providers. In our opinion, it's the best solution, tried and tested over many years.
An application firewall (WAF), and numerous WordPress-specific security rules are applied: this keeps your websites fast and protected.
If these safety devices are triggered, then the attacker is completely blocked from the server. His attacks and requests then have no effect.
As a bonus, we'd like to point out the attack on AbuseIPDB to help the few conscientious hosts around the world.
However, despite this, we observed a slight increase of 6% in the CPU usage of our servers, and in terms of the number of gross attacks, this represents +500% as we have seen.
Checking the root cause of this increase in CPU usage, it was mostly 404 requests (non-existent URLs) for around 5%, and 1% of other more complex requests.
We have therefore taken additional measures to restore load levels to normal. By adjusting in this way, we can continue to ensure maximum performance for hosted sites, even in the event of the attack intensifying. We're not invincible (no one is), but we're not ashamed of other hosting providers - quite the contrary. And we have other tricks up our sleeve if need be.
New measures to reduce resource waste
Some malicious IPs generate a flood of useless requests (404 errors, abusive scrapping, etc.), wasting processor clock cycles without posing a direct threat. And the waste is unbearable.
So we've put in place a strict rule: IPs triggering too many 404s are now automatically banned.
The results are immediate:
- Over 500 attackers banned thanks to this rule in 24 hours
- Significant reduction in CPU usage
- Consistent performance for legitimate visitors
Of course, we can't detail all the new rules publicly, but if you're a server administrator, a word of advice: use top/htop (and hope that each site has its own user and FPM) and check your logs with good grep, and finally, create custom jails on fail2ban... Also, whitelist search engines like Google and Bing, as these trigger numerous 404s and it would be a shame to derefer your hosted sites.
Why don't all web hosts apply these security measures?
Fine-tuned attack detection and automatic blocking of attackers is a highly effective solution. However, not all hosting providers apply this kind of security. Why not?
If a legitimate user's IP address accidentally triggers security, he loses access to his site. This is known as a "false positive". And who will he turn to in order to diagnose the source of the blockage and get unblocked? His web host.
As far as I know, with a few rare exceptions, most hosts don't want to use their time for this. Sometimes they're even hard to reach. In practice, very few hosts seem to apply this type of security.
Failure to apply these safeguards has two main effects:
- For the host: this drastically reduces the number of calls and tickets received... and therefore costs. However, it drastically increases the server load (the unnecessary use of resources). So, everyone makes their own calculations... Pay humans, or pay machines... For many, the choice seems to be in favor of machines. Don't you dare talk to me about eco-responsibility.
- For customers: this dangerously reduces the final security level of your websites, leaving the way open for attackers and potentially causing slowdowns.
At LRob, our goal is not to charge rock-bottom prices and leave you to be attacked and unsupported. We're not afraid to receive your tickets, emails and calls. We remain at your disposal, adjusting security to your specific needs. So you're well protected, well advised, and quickly unblocked if need be. Choose your WordPress hosting now!
What does this mean for LRob?
For the time being, we have not no slowness caused by these attacks 🚀 (because we're still a long way from server saturation, thanks to a reasonable fill rate and constant optimization).
No successful attacks was detected. And always no site hacked to deplore. 🔒
In addition, we have found our 6% of wasted CPUs and further enhanced the final safety level.
We remain vigilant, because there's no such thing as 100% security, and nobody is invulnerable. That's why we constantly monitor new threats and adapt our defense systems in real time. So that your site remains high-performing and secure, whatever the changing cyber landscape. 🚀
Choose secure, high-performance WordPress hosting
Optimized hosting means more than just disk space and bandwidth. It must also anticipate threats, actively protect your site and guarantee rapid execution. Your host must also advise you and provide you with a real quality support.
With LRobyou benefit from an environment designed specifically for WordPress, capable of detect, block and adapt attacks. Enjoy one of the highest levels of performance, a simple and intuitive panel with the WordPress Toolkit, and attentive support!
Leave a Reply