I started my investigation by first going through the access logs. My guess is that the attacks started on the 17th of July. First, on the 17th of July there were hundreds of attempts to login at my WP site from this IP: 23.94.66.178 - - [17/Jul/2018:22:19:59 +0000] "POST /blog//wp-login.php HTTP/1.0" 401 3448 "-" "-" The IP is somewhere in Bufallo, NY: https://ipalyzer.com/23.94.66.178 IP Owner is someone named ComelyHost Then, I found this IP was trying to access my WP site several times on the 20rd of July. Here is the info from the log: 95.174.64.69 - - [20/Jul/2018:03:15:50 +0000] "GET //blog/wp-login.php HTTP/1.1" 200 1687 "http://engrishcheck.com/" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.16.69 (KHTML, like Gecko) Version/4.7.2 Safari/533.24" 95.174.64.69 - - [20/Jul/2018:03:15:53 +0000] "GET //blog/?author=1 HTTP/1.1" 200 9301 "http://engrishcheck.com/" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.16.69 (KHTML, like Gecko) Version/4.7.2 Safari/533.24" This kept going until "GET /blog/?author=30". The IP is somewhere in Milan, Italy: https://ipalyzer.com/95.174.64.69 IP Owner is someone named GLOBALAXS NOC MILAN Then on the same day this: 46.250.4.149 - - [20/Jul/2018:18:17:20 +0000] "GET //blog/?author=1 HTTP/1.1" 200 9301 "http://engrishcheck.com/" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:52.56.09) Gecko/20167285 Firefox/52.56.09" This kept going until "GET /blog/?author=29". The IP is somewhere in ODESSA, UKRAINE: https://ipalyzer.com/46.250.4.149 IP Owner is someone named TOV TRK Briz Then again on the 23rd this IP was trying to access my WP site several times 41.149.72.132 - - [23/Jul/2018:06:14:04 +0200] "GET /blog/?author=1 HTTP/1.1" 301 246 "-" "Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15" This kept going until "GET /blog/?author=10". Then it tried to access this for hundreds of time: 41.149.72.132 - - [23/Jul/2018:04:14:36 +0000] "POST /blog//wp-login.php HTTP/1.1" 301 250 "-" "Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15" The IP is somewhere in South Africa: https://ipalyzer.com/41.149.72.132 IP Owner is someone named Markus Stoltz Any comments? What kind of WP vulnerability allowed that to happened and managed to get cpanel access? Must be 0day, since I religiously update WP to the latest release...