Recently, one of our client web sites had an attempted attack on its login page from a distant server. The site remained online and active, and we were informed.
We knew because it is a WordPress site, we have premium Wordfence protection software on the site, and we kept getting emails every 5 minutes about the 100s of attempts being made in that past 5 minutes. And it was from a blocked IP, because Wordfence was previously set up to block admin page accesses from the country in question.
Still, these emails are annoying, and the problem IP shouldn’t be allowed to just continue the attack. It had started in the early hours of the morning, and had been going on for several hours when discovered.
Wordfence provides the IP for these attacks, and it was the same IP every time. We used that information to determine the server location (Sweden) and provider for that hosting. We checked out the provider’s web site, and it allowed for a problem contact from non-clients in ENGLISH (thankfully since our Swedish language skills are non-existent…), and so we notified them of the issue and the specifics.
Within an hour they were working on it, and within a few hours the attack stopped. I don’t know what happened to their customer that had that IP, but it probably resulted in at least the temporary shut down of the account until whatever the issue was (likely a site infection on their end) was resolved.
It worked exactly how it should have worked, thanks to Wordfence. And kudos to the server company, because there are sketchy ones out there that would slowroll any effort, hoping the issue would go away by itself.