@w3bmastine - Maroc Telecom is the main telecommunication company in Morocco (an ISP.) It is not a Server Farm so I moved your post here to its own thread.

Likely the hits came from an infected account.

I understand. How can I differentiate between ISP and Server Farm? Do you have any advice?

How can I differentiate between ISP and Server Farm?

Look them up individually. But if the name involves "Telecom" it's pretty safe to assume it's an ISP of some sort ;)

I assume Morocco is yet another of those places where a lot of people use pirated system software, so they're exceptionally prone to infection. There just don't happen to be as many computer users in Morocco as in, say, Ukraine.

Conversely, there's a short list of words that practically never show up except in the names of server farms: "rack" is the first one that comes to mind. And of course descriptors such as "server", "host", "colocation". If the IP lives in North America, a contact address involving "hostmaster" is another dead giveaway, but in other parts of the world this term may be used generically, so it doesn't necessarily mean anything.

Small hosting companies are another place where you find this

Multiple Wordpress hacking attempts

As mentioned in other threads, most often these hits come from infected user accounts at ISPs. A user, just like you or I, gets their account infected with a virus by opening an infected email, visiting an infected web site or downloading an infected file. The virus (script) then uses that account to send out probes to see what web sites are vulnerable to infect or spam or hack in some way.

Sometimes these hits do come from infected servers at hosting companies, colocation services, data centers, VPN, Cloud Computing (e.g. Server Farms.)

In either case, the infection is usually detected within a few days and fixed. It helps to send the admins (abuse@example.com) a report of the activity by including a raw log snippet, your domain name and the IP address of your server. Too many of us don't report it. Holding the server admins accountable is the best way to affect change.

Since these infected sources are almost always temporary, rather than block the IP range, it is more effective to block the behavior. If you do use Word Press, make sure to quickly install the security updates when they become available. If you do not use WP, just block the request for these files and live with the 403s. I get several hundred every day.

Thanks for your advice everyone.