One of the first server-level compromises I had to deal with in my life was around 15 years ago, and it was caused by an SSH brute force attack. A co-worker set up a test server and chose a very weak root password. A few days later, the box was compromised and the attackers installed IRC bots and used that server as a stepping stone to hack others.
You would think that after 15 years of improvements on security, brute force attacks would be a thing of the past.
However, brute force attacks are still going strong. In fact, they are one of the leading causes of website compromises. When you have an unprotected login page, you will see brute force attempts. With WordPress sites, same rule applies. We see thousands of failed login attempts to /wp-login.php on the websites we protect per minute.
We see so many that we decided to create a separate page to track the state of brute force attacks against WordPress sites in our network:
This page is updated daily with new data that we see on brute force attacks live in the wild. We will be adding more data to it soon, but for now it can give a good idea of the current threat level.
If you have any suggestions or ideas on what to add, let us know.