Starting April 28th, the WordFence team saw a 30 times increase in cross site scripting attack volume, originating from a single attacker, and targeting over a million WordPress sites. WordFence published research detailing the threat actor and attack volume increase on May 5th. By the time they published, the attack volume had dropped back down to baseline levels.
As of May 11, 2020, attacks by this same threat actor have once again ramped up, and are ongoing. This attacker has now attacked over 1.3 million sites in the past month. As of May 12, 2020, attacks by this threat actor have outpaced all other attacks targeting vulnerabilities across the WordPress ecosystem.
What should I do?
As with the previous attacks, the majority of vulnerabilities being targeted are Cross-Site Scripting (XSS) flaws. The Wordfence Firewall’s built-in XSS protection provides protection from these attacks. But you should still insure that all plugins, themes, and WordPress core are up to date.
Full story at https://www.wordfence.com/blog/2020/05/one-attacker-rules-them-all