Wordfence, a security research company, discovered that the reason Algeria is the country most often seen in attacks on WordPress blogs is that the country's largest ISP distributes home routers that are locked in an insecure state, with an open port that lets attackers seize control of them and use them to stage attacks on higher-value targets.
All told, Wordfence sees 10,000 Algerian IP addresses implicated in 2,000 attacks per month, each.
The hackable routers are made by Zyxel, and they leave port 7547 open to listen for messages sent on Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2), an embedded webserver with a known, unpatched vulnerability.
Other major ISPs that distribute these insecure routers are BSNL India and Philippine Long Distance Telephone. Attacking WordPress blogs is the least of the mischief that these things can wreak, they can also be used for unstoppable Denial of Service attacks.
OVH was hit by a 1 Terabyte DDoS attack in September last year, one of the largest in history. Approximately 152,000 IOT (Internet of Things) devices that had been compromised generated the traffic in that attack.
In just the past month we have seen over 90,000 unique IP addresses at 28 ISPs that fit our compromised-router attack pattern. We monitor these attacks across our customer websites which is an attack surface of over 2 million websites. We only see a sample of the attacks that all websites globally experience. If you extrapolate the numbers, it indicates that there is a very large number of compromised ISP routers out there performing attacks and acting in concert.
At this point it would not be a stretch to say that vulnerabilities in TR-069 may have created a very large botnet which could soon generate the largest DDoS attack the Internet has ever seen.
Thousands of Hacked Home Routers are Attacking WordPress Sites
[Wordfence]
(Thanks, Chris!)