News

Hackers attacked 900,000 WordPress sites over a week

Wordfence specialists noticed that a group of hackers launched a large-scale campaign against WordPress sites. Using various known vulnerabilities, hackers attacked almost a million resources over the last week.

This is not the first malicious campaign aimed at WordPress users, but the scale this time, and even against the backdrop of a pandemic, is pretty impressive.

The attacks began on April 28, 2020 and resulted in a thirty-fold increase in the amount of malicious traffic monitored by the company.

“The gang uses more than 24,000 different IP addresses for attacks and has already tried to hack over 900,000 WordPress sites. The attacks peaked last Sunday, May 3, 2020, when hackers made over 20,000,000 attempts to break into 500,000 different domains”, – said Wordfence specialists.

Researchers write that, basically, the group relies on exploiting a variety of XSS vulnerabilities and, with their help, injects malicious JavaScript code into sites, and then redirects incoming traffic to resources to malicious sites.

Also, the malware used by cybercriminals checks if the visitor is logged in as an administrator to try automatically create a backdoor using his account.

Wordfence reports that attackers exploit the following vulnerabilities in their campaign:

  • XSS vulnerability in the Easy2Map plugin, which was removed from the WordPress repository in August 2019. Attempts to exploit this vulnerability account for more than half of the total number of attacks, although the plugin is installed on less than 3000 sites;
  • The XSS vulnerability in the Blog Designer plugin, which was fixed in 2019. The plugin uses approximately 1,000 resources, but this vulnerability has already been used in other malicious campaigns;
  • Bug in the WP GDPR Compliance plugin, fixed at the end of 2018. Among other things, the problem allowed attackers to change the home URL of the site. Although this plugin has more than 100,000 installations, analysts estimate that at present only 5,000 of them are still vulnerable.
  • Vulnerability in Total Donations plugin that could change the website’s home URL. This plugin was removed from Envato Marketplace at the beginning of 2019, and there are currently less than 1,000 live installations.
  • XSS vulnerability in the Newspaper theme, which was fixed back in 2016. In the past, hackers also exploited this problem.

According to Wordfence experts, in the future, the group behind the attacks can develop new exploits and expand their arsenal, which will entail attacks on other vulnerabilities.

I also remind you that we wrote about a bug in the Rank Math WordPress plugin, which allows assigning administrator privileges to any user.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
James Brown

Technology news writer and part-time security researcher. Author of how-to articles related to Windows computer issue solving.

View Comments

  • […] attacks were carried out with 20,000 different IP addresses, most of which were previously used in another large-scale campaign, also targeted at WordPress sites and active in early May of this […]

Recent Posts

Remove Chernars pop-up ads (Virus Removal Guide)

Chernars.com is a domain that tries to force you into subscribing to its browser notifications…

22 hours ago

Remove Eclipse-adblocker.pro pop-up ads (Virus Removal Guide)

Eclipse-adblocker.pro is a site that tries to trick you into clik to its browser notifications…

22 hours ago

Remove Initiateadvancedcompletelythe-file.top pop-up ads (Virus Removal Guide)

Initiateadvancedcompletelythe-file.top is a site that tries to force you into subscribing to its browser notifications…

22 hours ago

Remove Pbmsoultions pop-up ads (Virus Removal Guide)

Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…

4 days ago

Remove Prizestash pop-up ads (Virus Removal Guide)

Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…

4 days ago

Remove Verifiedbreaking pop-up ads (Virus Removal Guide)

Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…

4 days ago