A new threat on an unprecedented scale is shaking up the web: 2.8 million network devices compromised are currently being used to flood the Internet with malicious requests.
At LRob, as’web host, We've seen a dramatic increase in attacks over the last few days. We'll explain how we're effectively blocking them.
These attacks are not just a nuisance: they can have a serious impact on the performance and security of your websites. How does the attack work? What impact does it have on your websites? How can you protect yourself? Here are the answers.
Details of the cyber attack
Discovery of the cybersecurity attack
As indicated by Cyber Security News in its article, A vast brute-force attack (testing all passwords) began by targeting VPN and firewall connections using 2.8 million IP addresses. A sort of brute force crossed with giant DDoS (Distributed Denial of Service).
First detected in January 2025 by the Shadowserver Foundation, this campaign targets edge security devices such as VPNs, firewalls and routers from vendors such as Palo Alto Networks, Ivanti and SonicWall.
Cybercriminals are using residential proxy networks and compromised devices, including MikroTik, Huawei and Cisco routers, to carry out these attacks. More than 1.1 million of the IP addresses involved come from Brazil. This is followed by Turkey, Russia, Argentina, Morocco, Mexico and other countries such as Ireland, according to some observations.
Together they form an increasingly large botnet, capable of carrying out a variety of attacks. And we can confirm that this is starting to show on the web hosting side, with attacks increasing over the last few days. So it could be that many new devices have been compromised.
Official cybersecurity bodies react
Faced with this growing threat, international cybersecurity agencies (CISA, NCSC, etc.) are recommending that manufacturers improve the default security of their devices and that businesses strengthen the protection of their network access. The use of multi-factor authentication (MFA), regular system updates and network segmentation are essential to reduce the risks. Shadowserver warns that these attacks are likely to continue, affecting other providers and regions.
Propagation to web hosts - LRob observations
At LRob, we have seen an increase in illegitimate requests since the beginning of 2025, followed by a drastic jump since 8 February.
On 11 February, the record was set with +500% of attackers below the usual average.
Paradoxically, in this International Safer Internet Day, organised in France by Internet Sans Crainte.
A colleague confirms a simultaneous increase in the number of attacks received on his machines. I'm also getting in touch with other hosting companies to see if they too are seeing an increase in attacks.
In gross figures, we exceeded 10,000 attackers blocked Tuesday 11 February 2025, i.e. 5x the average value.
Concerning server load the average CPU usage of servers has increased by around 6%, from 14 to 20%. If that leaves us 80% of room to manoeuvre, it's enough for us to take action (see below).
Origin of attacks
For our part, the attacks come from all over the world, and we haven't compiled precise statistics on where they come from, because that requires a lot of logistics for little added value. The priority is to block as many attacks as possible.
What's more, the type of origin of the attacks is very varied, from domestic IPs to datacenter IPs. This suggests that we are dealing with a huge botnet.
As far as geographical origin is concerned, we can say with a pinch of salt that the attacks seem to be coming from just about anywhere in the world, with China potentially in the lead (nothing unusual, then...).
But there have also been attacks from Singapore, Brazil, India, Vietnam, Kazakhstan, Spain, Finland, Japan, Korea, Hong Kong, Thailand, Canada, USA, Georgia, France, Italy, UK, Bangladesh, Romania, Philippines...
In short, nothing stands out at first glance, with attacks coming from everywhere, as usual.
For a direct overview, see LRob reports on AbuseIPDB.
Correlation is not causation - Some reservations
Admittedly, it is impossible to establish a definite link between the current global attack and this increase in attacks on web servers and WordPress LRob sites. Indeed, despite the confirmation of a colleague, the sample is not sufficient to conclude with certainty.
However, the correlation remains striking and it doesn't seem far-fetched to think that the two are linked. If we are to go any further, we will need to consult other colleagues to see whether or not the attacks are widespread.
WordPress hosting & attacks: what are the consequences?
Administrators, web agencies and owners of WordPress sites should ask themselves:
« my WordPress hosting ready to withstand this wave of attacks?«
Both for the current attack and for future ones, if your web host does not block these attacks, you could quickly suffer the consequences:
- Slowness : parasite requests slow down your site
- Inaccessibility : total server saturation can prevent your site from responding at all
- Intrusions A successful attack can compromise your data and those of your customers
- SEO degradation If just one of the above points occurs, it can seriously damage your ranking.
How to protect your WordPress hosting? LRob method.
LRob already provides automatic blocking of attackers directly at server level. This drastically reduces the server load, improves performance and dramatically reduces the risk compared with traditional hosting providers. In our view, this is the best solution, tried and tested over many years.
An application firewall (WAF), and many security rules specific to WordPress are applied: this keeps your websites fast and protected.
If these safeguards are triggered, then the attacker is completely blocked from the server. His attacks and requests then have no effect.
As a bonus, we'd like to point out the attack on AbuseIPDB to help the few conscientious web hosts around the world.
However, despite this, we observed a slight increase of 6% in the CPU usage of our servers, and in terms of the number of gross attacks, this represents +500%, as we have seen.
When we checked the primary cause of this increase in CPU usage, it was mainly 404 requests (non-existent URLs) for around 5%, and 1% for other more complex requests.
We have therefore taken additional measures to restore normal load levels. By adjusting in this way, we can continue to ensure maximum performance for the sites we host, even if the attack increases. We're not invincible (nobody is), but we have nothing to be ashamed of when compared with other hosting providers - quite the contrary. And we have other tricks up our sleeve if need be.
New measures to reduce the waste of resources
Some malicious IPs generate a flood of useless requests (404 errors, abusive scrapping, etc.), wasting processor clock cycles without posing a direct threat. And the waste is unbearable.
We have therefore introduced a strict rule: IPs triggering too many 404s are now automatically banned.
The results are immediate:
- More than 500 attackers banned thanks to this rule in 24 hours
- Significant reduction in CPU usage
- Consistent performance for legitimate visitors
Of course, we can't detail all the new rules publicly, but if you're a server administrator, a word of advice: use top/htop (and hope that each site has its own user and FPM) and check your logs with a good grep, and finally, create custom jails on fail2ban... Also, whitelist search engines like Google and Bing because they trigger a lot of 404s and it would be a shame to derefer your hosted sites.
Why don't all web hosts apply these security measures?
Precise detection of attacks and automatic blocking of attackers is a highly effective solution. However, not all web hosts apply this type of security. Why don't they?
If a legitimate user's IP address accidentally triggers security, they lose access to their site. This is known as a «false positive». And who will they turn to in order to diagnose the source of the blockage and have it unblocked? His web host.
As far as I know, with a few rare exceptions, most web hosts don't want to use their time for this. Sometimes they are even difficult to reach. In practice, very few web hosts seem to apply this type of security.
Not applying these safeguards has two main effects:
- For the host: this drastically reduces the number of calls and tickets received... and therefore costs. However, it also drastically increases the server load (the unnecessary use of resources). So everyone has to make their own calculations... Paying humans, or paying machines... For many, the choice seems to be in favour of machines. Don't you dare talk to me about eco-responsibility.
- For customers: this dangerously reduces the final security level of your websites, leaving the way open for attackers and potentially causing slowness.
At LRob, our aim is not to charge rock-bottom prices and leave you to be attacked and unsupported. We are not afraid to receive your tickets, emails and calls. We remain at your disposal and adjust security to your specific needs. So you're well protected, advised and quickly unblocked if necessary. Choose your WordPress hosting now!
What impact will this have on LRob?
For the time being, we have not no slowness caused by these attacks 🚀 (because we are still a long way from server saturation thanks to a reasonable fill rate and constant optimisation).
No successful attacks was detected. And always no sites hacked to deplore. 🔒
In addition, we have found our 6% of wasted CPUs and further improved the final level of safety.
We remain vigilant, because security at 100% does not exist and no one is invulnerable. So we constantly monitor new threats and adapt our defence systems in real time. So that your site remains high-performing and secure, regardless of changes in the cyber landscape. 🚀
Choose secure, high-performance WordPress hosting
Optimised hosting is more than just offering disk space and bandwidth. It must anticipate threats, actively protect your site and guarantee speed of execution. Your host must also advise you your day-to-day life and provide real quality support.
With LRob, You'll benefit from an environment designed specifically for WordPress, capable of detect, block and adapt attacks. You'll also benefit from one of the highest levels of performance, a simple and intuitive panel with the WordPress Toolkit, and attentive support!
Leave a Reply
You must be logged in to post a comment.