A vast campaign targeting WordPress-based websites was identified by the Wordfence Firewall as it targeted 1.3 million pages, trying to leverage known plugins and theme vulnerabilities.
WordPress is just one of the platforms used to create and deploy websites and, just like its competitors, it’s always subject to attacks. Since it’s a complex ecosystem, with numerous plugins and themes for millions of projects, the area of attack is considerable.
As not all developers fix security problems identified in their components and not all webmasters actually upgrade the components to their latest version, the number of exposed websites is substantial.
A total of 130 million attacks were deployed against 1.3 million websites over the course of just three days, between May 29 and May 31. The attackers are looking for unpatched XSS vulnerabilities. Exploited successfully, the vulnerabilities would let the bad actors access the configuration files and database credentials.
“In this case the attackers are attempting to download wp-config.php, a file critical to all WordPress installations which contains database credentials and connection information, in addition to authentication unique keys and salts,” say the researchers. “An attacker with access to this file could gain access to the site’s database, where site content and users are stored.”
In short, if the attack is successful, criminals could use the stolen credentials to add an administrative user, steal data, or even to delete the website entirely. Even if the attack lasted for just three days, over 20,000 different IPs were used, and it’s not the first time. This indicates the presence of an extensive attack bot network.
WordPress users are advised to look for the indicators of compromise underlined in the advisory and to make sure to change the credentials if they think they might have been compromised.