Millions of WordPress Websites Under Attack by Cybercriminals
Millions of WordPress websites are being actively targeted in a global cyberattack. Hackers are using 16,000 IP addresses to exploit security vulnerabilities in 1.6 million WordPress sites.
The attack targets fifteen Epsilon framework WordPress themes that use certain plugins.
WordPress is a well-known content management system (CMS) used in 34 percent of all websites worldwide. It powered about 455 million sites. There are two distinct versions of the popular CMS – wordpress.org andwordpress.com. WordPress is used for major sites such as eBay the New York Times, the White House, and BBC America.
Both are built on PHP and MySQL backends. With the addition of plugins and open-source software, WordPress.org is far more customizable than its free .org version.
Over the past 36 hours, the Wordfence network has blocked over 13.7 million attacks targeting four different plugins and several Epsilon Framework themes across over 1.6 million sites and originating from over 16,000 different IP addresses,” says the post on Wordfence.
This WordPress cyberattack exploits a vulnerability to change a setting in the WordPress database. Attackers change WordPress security settings to allow anyone to register as a user on the website. Furthermore, the default setting for a new WordPress registered user is changed from subscriber to administrator.
The permission setting allows the hackers to take control of the compromised website.
To determine if your site was compromised in this cyberattack, review roles assigned to all users and default roles for new users. Look for users who have been granted administrative privileges. Also, look for any newly registered accounts that seem suspicious.
How to Locate WordPress Admin Users:
Time needed: 10 minutes.
- Log into WordPress
- From WordPress Dashboard, select “Users”
- Sort by Admin users
- Select Administrator at the top of the screen
- Check user privileges
Look for users with admin rights or newly registered users
“Due to the severity of these vulnerabilities and the massive campaign targeting them, it is incredibly important to ensure your site is protected from compromise,” says Wordfence.
Vulnerable WordPress Plugins:
- PublishPress Capabilities <= 2.3
- Kiwi Social Plugin <= 2.0.10
- Pinterest Automatic <= 4.14.3
- WordPress Automatic <= 3.53.2
Targeted WordPress Epsilon Themes:
- Shapely version 1.2.8 and earlier
- NewsMag version 2.4.1 and earlier
- Activello version 1.4.1 and earlier
- Illdy version 2.1.6 and earlier
- Allegiant version 1.2.5 and earlier
- Newspaper X version 1.3.1 and earlier
- Pixova Lite version 2.0.6 and earlier
- Brilliance version 1.2.9 and earlier
- MedZone Lite version 1.2.5 and earlier
- Regina Lite version 2.0.5 and earlier
- Transcend version 1.1.9 and earlier
- Affluent before version 1.1.0 and earlier
- Bonkers version 1.0.5 and earlier
- Antreas version 1.0.6 and earlier
- NatureMag Lite – all versions
All WordPress sites using the Epsilon framework and one or more of the four impacted plugins should update plugins and themes immediately. After updating, check for suspicious user accounts.