Case Study

2.7 million attacks blocked
in 14 days

How EagleEye protected Imagia against a massive attack wave — including 2.3 million malicious requests in a single day.

Client Imagia
Industry Architecture & Design
Platform WordPress
Period May 2026 (14 days)
Infrastructure cPanel / AlmaLinux

Results in numbers

Real numbers pulled from our SIEM — no estimates.

2.7M+
Attacks blocked (14 days)
447K
Unique malicious IPs
~3s
Detection → block
0
Successful breaches
6,654
IPs blocked in firewall
380+
Legitimate ranges whitelisted
−67%
Traffic reaching Apache

The context

Imagia is the showcase site of a Moroccan architecture firm hosted on a shared cPanel server. Without dedicated protection, it was receiving hundreds of attacks per day with no visibility and no means of response.

The problem was classic for production WordPress sites: brute-force attempts on wp-login.php, XML-RPC floods, user enumeration — with a real risk of compromise.

EagleEye was deployed in early May 2026. Our agent was installed on the server, custom detection rules activated, and automatic blocking configured via the iptables API.

The effect was immediate: malicious request spam dropped drastically and server performance improved noticeably — lower CPU load, fewer junk connections.

Most significantly: by blocking at the network layer (iptables/ipset), traffic reaching Apache was reduced by two-thirds — malicious requests are stopped before they ever touch the web server. The server is measurably more responsive for legitimate visitors as a result.

Event timeline

The first two weeks of real-time protection.

01
10 Mai 2026 — Jour 1
EagleEye deployment
EagleEye agent installed, WordPress rules activated, blocking pipeline operational. 3,499 attacks detected and blocked on day one — confirming the site was already actively targeted.
3,499 blocks — Day 1
02
11 Mai 2026 — Jour 2
First wave — traffic surge
Volume multiplied by 99× in 24h. 346,278 attack attempts in one day — mostly WordPress Login floods from distributed IPs. All blocked at firewall level before reaching PHP.
346,278 blocks
03
12 Mai 2026 — Jour 3
Massive coordinated attack — peak 2.3M/day
2,368,935 attacks in a single day. A coordinated campaign targeting wp-login.php from thousands of distinct IPs spread globally. The system maintained a block latency under 3 seconds throughout the event. No successful breach. No performance degradation for legitimate visitors.
Peak: 2,368,935 blocks in 24h
04
13–24 Mai 2026
Back to baseline — continuous protection
After the wave, volume settled back to 600–1,100 attacks/day — the normal background noise for an exposed WordPress site. 6,654 individual IPs and 15,425 network ranges were permanently blocked in the firewall, reducing repeat attacker load.
Baseline stabilized

🔴 The May 12 Event

2,368,935 malicious requests in 24 hours. The campaign exclusively targeted wp-login.php with massive IP rotation to bypass simple IP bans.

EagleEye responded by detecting behavioral patterns (request frequency per IP, user agents, timing) rather than relying solely on static blocklists.

Result: blocked at network level (iptables), before requests reached Apache or WordPress. Zero additional load on PHP or MySQL.

✅ What held up

  • Network block ~3s even at 2M+ req/day
  • No service disruption for legitimate visitors
  • 380+ SEO crawlers never blocked (Google, Bing, Ahrefs…)
  • FIM active — no WordPress file modification detected
  • Live dashboard — full real-time visibility

Attack vector breakdown

Based on 2,746,918 classified block alerts from the SIEM.

WordPress Login Flood
2,697,564
Multi-400 flood (scanner)
10,554
IDS / Blocklist
11,274
SSH Scan
3,397
Suspicious HTTP activity
3,552
SSH Brute-force (PAM)
4,911
xmlrpc.php flood
2,253

* Bars proportional to relative volume, not absolute total.

Your site is the next target.

Not a hypothesis — a statistical certainty. Automated scanners probe every public IP address continuously.

Start protection →