An unknown group of hackers is actively working on stealing WordPress database credentials from more than 1.3 million sites by downloading their configuration files. The used mechanism is to uncover unpatched versions of plugins that provide access to the wp-config.php file. Once they gain access to this file, they can use the contained information to take over the whole site.
Method of Infiltration: How the WordPress Blogs Are Hacked
The large-scale attack campaign depends on one of the most simple principles used by cybercriminals – the exploitation of unpatched software, which in WordPress-based sites means any installed plugins, themes, and the content management system.
The hackers typically do this by following either of these two approaches:
- Automatic Exploitation — This technique relies on web hacking toolkits that uncover outdated versions of plugins, themes, and WordPress installations. When such is found, they will use a suitable exploit to access the server file system and acquire the configuration file. The advantage of this method is that it can quickly enumerate a large number of sites.
- Manual Hacking — This approach relies on the criminals’ expertise to crack into a given WordPress site. Compared to the automated method, here, experienced criminals can be much more effective, as they can conduct prior research and possibly evade any security systems that might be placed.
As soon as the database credentials and configuration files are stolen, the hackers can access the contained within records. The username and password combinations of the affected users allow them to connect to the remote database and access all stored information in the site and effectively allow for an account overtake. When a database is accessed, the hackers will have the ability to browse all data belonging to all recorded users.
Also, Read What is wp-config.php (WordPress Configuration File)
The Large-Scale WordPress Attack and Its Implications
From there, various sabotage actions can occur, the most evident of which involves the complete removal of all web contents or the modification of data on attacked sites. Hackers with a specific plan can then lead to a so-called site defacement attack, where the replacement of all contents with a political message occurs. In these cases, the criminal groups may be motivated by a particular ideology or have been paid to do this by a state agency or competitor company.
Wordfence published statistics on the latest incident, citing a substantial increase in the number of exploit attempts against their clients. The guarded network was able to block more than 130 million hacking attempts. When the number accounted for other appliances, this has to lead to an estimate that more than 1.3 million WordPress sites have been targeted in this campaign alone.
The attacks started with a series of cross-site-scripting exploits, a common weakness that can be found among poorly designed plugins and themes. This allows hackers to trick the built-in scripts into executing code of their own choice, which leads to infiltration into the system.
Also, Read Be Warned: There’s A Surge in XSS Attacks against WordPress Sites
The campaign is overseen by an unknown hacking group which doesn’t show the motivations of the attackers. As of writing this article, no particular category of sites is focused on, meaning that the criminal group targets as many sites as possible.
In this situation, we at HowToHosting.Guide recommends that you patch your complete WordPress installation and watch out for any suspicious behavior.