Hackers attacked 900,000 WordPress sites


In the past seven days, a hacker group has tried to hijack almost a million WordPress sites. That describes the security company Wordfence. Wordfence's Threat Intelligence team had registered a sudden increase in attacks on cross-site scripting (XSS) vulnerabilities that started on April 28 and within 30 days grew to 30 times the usual volume of attack data.

Most of these attacks apparently hid a single threat actor, Wordfence writes. This hacker group launched its attacks from 24,000 IP addresses and tried to break into more than 900,000 WordPress sites. The campaign peaked on May 3 when the group made 20 million attempts to exploit vulnerabilities in more than half a million individual sites.

First and foremost, the hackers attempted to place malicious JavaScript code on the attacked pages via XSS vulnerabilities in order to then redirect visitors to the manipulated website. The malicious code also scanned for administrator logins to automatically create backdoor accounts.


The normally veiled PHP backdoor, here in a readable version ("deobfuscated").

(Image: Wordfence)

Wordfence speculates that hackers could switch to other vulnerabilities in the future and gives the Indicators of Compromise (IoCs), which website operators can use to determine whether their site has been compromised. These include, for example, special strings that are present in the payload, or timestamps that indicate when the page was last checked for re-infection and that are stored in an incorrectly spelled file called "debugs.log".

The majority of the attacks observed target vulnerabilities that have been known and patched for months and years. Therefore, the best prevention – a truism in IT security – is to keep all plug-ins up to date and to deactivate and delete all plug-ins that have been removed from the WordPress plug-in repository.


. (tagsToTranslate) Hacking (t) Wordfence (t) WordPress (t) XSS