An attack over the weekend unsuccessfully targeted 1.3 million WordPress websites, in attempts to download their configuration files and harvest database credentials.