According to a recent report, WordPress sites are enduring 30 times more attacks than normal. Read on to know more…
According to a recent report, WordPress sites are enduring 30 times more attacks than normal. It has been observed that attack attempts were made on more than 900,000 websites since April 28, 2020. According to Defiant, sevetral WordPress websites have been targeted by an unidentified bad actor in a large-scale hacking campaign over the past week.
Defiant, which makes Wordfence security plugins for the web publishing platform, said that it started noticing and tracking a spike in attacks targeting especially Cross-Site Scripting (XSS) vulnerabilities on April 28th. The large-scale campaign ultimately resulted in a 30-fold increase in attack traffic.
The majority of the attacks are suspected to be from the same threat actor. The same group is also potentially linked to targeting older known vulnerabilities in WordPress. There were more than 20 million attacks on 3rd May against 500,000 sites. Since the last month, approximately 24,000 distinct IP addresses have been detected that were attempting to launch the attacks.
Three of the five targeted vulnerabilities are XSS related. One of them affects the Easy2Map plugin, which accounted for more than half of the attacks and is likely installed on less than 3,000 websites. The second security hole resides in Blog Designer and was patched last year; it has been targeted before and Defiant estimates that there are approximately 1,000 vulnerable installations. The third XSS vulnerability is found in the Newspaper theme, which has also been at the center of attacks in the past and has been patched since 2016.
IOCs have been provided by Wordfence that can be used by site admins to check if they were targeted. Wordfence users are protected from XSS attacks. More than half of the attacks were accounted for by Easy2Map plugin that was removed from the repository last year in August. This plugin is most likely installed on nearly 3000 sites.
Based on the malicious payload, Defiant suspects that most of these attacks are being carried out by a single malicious actor. According to Wordfence QA engineer Ram Gall, the cybercriminal started off with a small volume of attacks and didn’t ramp up their efforts until last week, with the campaign peaking at 20 million attempted attacks against more than half a million websites on May 3rd.
It is worth noting that security updates are available for the flaws under exploitation, and that the patches were rolled out months and, in some cases, even years ago.
Users are advised to delete and deactivate the plug-ins that have been removed from the WordPress repositories and run a web application firewall.