For as long as my site has been online (since 2005), it has been targeted by apparent "script kiddies," whose automated tools crawl the web hitting up WordPress sites like mine with prepared lists of known vulnerabilities in WordPress core, plugins, and themes. Apart from a breach ca. 2008 (my fault, I fell behind on my WordPress updates), none have gotten through, each attacker would just test all the vulnerabilities on their list, and move on.
In mid-2021, my tools alerted me that a new and much more relentless person/organization had started probing for vulnerabilities. What struck me as odd is that they were hitting the server a few times a day, from various IPs, trying the same list of 5-6 vulnerabilities over and over. That struck me as a waste of resources, they'd need to be extremely lucky for me to happen to install one of those vulnerable plugins after their attacks began. After this went on for a few months I did some whois queries on their IPs and found that all came from Digital Ocean. So I sent all of my evidence to their abuse department, and they shortly terminated the client's account. That halted the attacks...but only briefly.
Within days the attacks resumed, but this time originating from a vast array of international IPs that were not from any single organization--proxy servers and Tor exit nodes and such. And the attack frequency increased significantly; rather than a few times per day, it has increased to several times per hour. But they are still using the same short list of vulnerabilities that has failed them so many times before.
I've captured the PHP files they are trying to deposit on the server, it is a typical H@x0r dashboard that allow the attacker to upload more files, execute arbitrary code, etc. Basic stuff.
Any ideas why an attacker would use this pattern of retrying a short list of failed exploits over and over? Why go to such lengths and expend such resources? Am I that juicy of a target, or are they just a bit thick-headed? Is there some underlying ingenuity that I am failing to appreciate? Has some sprawling automated hacking apparatus merely run amok? I welcome any insight. It's not really a problem, my defenses are holding, I just find the behavior a bit baffling.
They don't care about conserving resources because they are using servers they've hacked.
A really sophisticated attacker (state level) who was trying to attack you personally would try to hit you with one connection and install something to cover their tracks immediately.