A vast campaign targeting WordPress-based websites was
identified by the Wordfence Firewall as it targeted 1.3 million pages, trying
to leverage known plugins and theme vulnerabilities.
WordPress is just one of the platforms used to create and
deploy websites and, just like its competitors, it’s always subject to attacks.
Since it’s a complex ecosystem, with numerous plugins and themes for millions
of projects, the area of attack is considerable.
As not all developers fix security problems identified in
their components and not all webmasters actually upgrade the components to
their latest version, the number of exposed websites is substantial.
A total of 130 million attacks were deployed against 1.3
million websites over the course of just three days, between May 29 and May 31.
The attackers are looking for unpatched XSS vulnerabilities. Exploited
successfully, the vulnerabilities would let the bad actors access the
configuration files and database credentials.
“In this case the attackers are attempting to download
wp-config.php, a file critical to all WordPress installations which contains
database credentials and connection information, in addition to authentication
unique keys and salts,” say the researchers. “An attacker with access to this
file could gain access to the site’s database, where site content and users are
stored.”
In short, if the attack is successful, criminals could
use the stolen credentials to add an administrative user, steal data, or even
to delete the website entirely. Even if the attack lasted for just three days,
over 20,000 different IPs were used, and it’s not the first time. This
indicates the presence of an extensive attack bot network.
WordPress users are advised to look for the indicators of
compromise underlined in the advisory
and to make sure to change the credentials if they think they might have been
compromised.