WordPress Cyberattack

Attackers exploited XSS vulnerabilities in WordPress themes and plugins to steal database credentials

Hundreds of thousands of WordPress websites were targeted over the course of 24 hours in a large scale cyberattack with the aim of harvesting database credentials.

The cybercriminals behind the attack were attempting to download the wp-config.php configuration files from users WordPress sites as they contain valuable information including database credentials, connection info, authentication unique keys and salts.

They tried to exploit known cross-site scripting (XSS) vulnerabilities in WordPress plugins and themes installed on users’ sites as a means to gain access to their credentials with the end goal of completely taking over their sites.

  • Yet more WordPress plugin flaws undermine website security
  • Thousands of WordPress sites redirecting users to dangerous domains
  • These are the best WordPress themes and best WordPress plugins of 2020

In a blog post, QA engineer and threat analyst Ram Gall provided further insight on the sheer scale of the campaign, saying:

“Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files. The peak of this attack campaign occurred on May 30, 2020. At this point, attacks from this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem.”

Targeting WordPress accounts

Security researchers at Wordfence were able to link this campaign to another large-scale attack that began on April 28 by analyzing the 20,000 different IP addresses used in this latest attack.

In the previous campaign, the threat actor the company tracked tried to plant backdoors or redirect visitors to malvertising sites by exploiting XSS vulnerabilities in plugins that had been patched but had yet to have been updated by WordPress site owners.

In just one day on May 3, the attackers behind these campaigns managed to launch over 20m attacks against more than half a million sites.

As is often the case, WordPress site owners can defend against these types of attacks by ensuring that all of the plugins and themes installed on their sites have been updated to the latest version and by applying and patches released by their creators. Additionally, they should delete or disable outdated themes and plugins that have been removed from the official WordPress repository since they are no longer being maintained.