It's a bot from:
Amazon Web Services (AWS)
54.64.0.0 - 54.71.255.255
54.64.0.0/13

FYI - AWS is cloud space leased to anyone & for anything. Their customers may do whatever with impunity IMO. However Google, Microsoft and dozens of other companies also offer similar services. Defensive web-mastering is now a required art.

Here's a thread listing other AWS ranges: [webmasterworld.com...]

It is always a POST or GET request to wp-login.php

IMO Wordpress has long been a target for exploit attempts (hacks) because of inherent vulnerabilities. As soon as WP patches a security hole, more are uncovered by bad doers. There's also a vast number of WP web sites out there run by people who know very little about security. Thus a huge amount of bot requests are for WP related files and back doors. I get a hundred a day and I have never even used WP.

I get a hundred a day and I have never even used WP.

I am jealous. I see 1500 in half an hour for /wp-login.php, /xmlrpc.php and now /?author=1 along with assorted requests for plugins I've never used, /admin.php and other apparently vulnerable files. Scary stuff and it is increasing.

I use a file called wp-login.php as the filename for a bot blocker trap on non-wp sites. ;)

Yes, it's a good flag for bad neighborhoods and/or infected ISP accounts.

However a script cuts them off if it continues beyond a certain number or the hits are too fast, hence I wouldn't see 1500 a half hour, at least from the same source.

Keep in mind, if you block bot traffic from AWS you also block the legitimate DuckDuckGo-Favicons-Bot, which operates from AWS. Just sayin'...

Not only DuckDuck but many beneficial bots and a half dozen apps (Facebook Android & iOS) who bring human traffic make their home at AWS, so a more surgical approach is needed using IP, UA and Header attributes.

@not2easy
That is a good idea. I think I'll do the same and create a wp-login.php trap to record IP/UA's.

I'm already rate limiting traffic to wp-login.php to one post request per second per IP and outright block access to xmlrpc.php. That seems to curtail the success rate of these kind of attacks. In any case the traffic stopped about 8 hours ago so either Amazon shut them down or they just moved on to another target. Thanks for all the feedback.

Since I don't use Wordpress, i use the following in .htaccess :

# BLOCK FILES
<FilesMatch "^(wp-config.php|browserconfig.xml|xmlrpc.php|wp-login.php|license.txt)"> 
 Order allow,deny
 Deny from all
 Satisfy All
</FilesMatch>

those are some of the most common, but sometimes you'll see a long succession of dozens of requests for others, which get 404 responses instead of 403.

@aristotle - If mod_rewrite is already on, no need to open another module. Simpler & faster to just use:

RewriteRule (wp-|xmlrpc|) - [NC,F]

BTW - browserconfig.xml is a valuable tool. When you block access to this file (or have not created it) you are loosing control of which files (tiles) represent your web pages when bookmarked to user's home screen, then the browser will guess... which may not be the best choice :)

if you block bot traffic from AWS you also block the legitimate DuckDuckGo-Favicons-Bot, which operates from AWS

But not, I think, from 54. (Has anything good ever come from 54?) I think the only reason I don't deny from the whole /8 is that a few bits still belong to Merck and you could conceivably get humans on their lunch break... Same goes for 52, originally duPont.

:: pause for usual moment of irritation at the sheer number of holes one is forced to poke for DDG faviconbot, as if it's actively trying to get itself blocked ::

I block POST categorically except for things like the contact form that legitimately use it. (The server itself, somewhere upstream, already blocks PUT so I don't have to.)

Has anything good ever come from 54?

Well, I guess it depends on what you think is "good." I allow approximately 19 UAs and several sub-ranges access.

FWIW - 54 is almost all cloud and home to about a half dozen apps including Facebook Android & Facebook iOS.

This is also home to several bots that data mine for marketing (I sell ads & publish Adsense) and several security services, that if blocked, may stop visitors from clicking links to our sites.

There's also a pretty big part of 54 assigned to Nokia & other proxies which, while mostly European, may still bring a good stream mobile visitors.

There are also at least 2 US county school districts which can be a good source of traffic (get 'em while they're young) and a couple city gov'ts and a Canadian Tribal /27.

All this combined with the various companies that supply connectivity to their employees making 54 well worth the effort of punching holes IMO. YMMV

if you block bot traffic from AWS you also block the legitimate DuckDuckGo-Favicons-Bot, which operates from AWS

But not, I think, from 54

Correct. The DuckDuckGo-Favicons-Bot comes from a different AWS range: 107.20/14