Incapsula surveyed 1,000 websites over a 90-day period, during which we recorded over 1.4 million unauthenticated access attempts and 20,376 authenticated logins.
Their data shows that 2.8% of the unauthenticated attempts were made by human visitors. This suggests that most of these should be attributed to “human error” (e.g., typing the wrong password) and to the initial one-time 2FA activation process.
The numbers also show that another 1.8% of the unauthenticated visits were made by benevolent bots (e.g., search engines, legitimate crawlers, RSS readers, etc.) whose numbers would certainly be much higher, if not for the common practice of blocking the login URLs using the robots.txt file.
The remaining 94.1% of the visits were made by malicious automated tools – the kinds that are used to discover and exploit password-related security holes. Simply put, this means that on average 15 of every 16 visitors to your login page have ill attentions in mind.