900,000 WordPress websites have been under malicious attacks. The purpose of the attacks is to either redirect website visitors to malvertising pages, or infect them with a backdoor in case an administrator is logged in. The attacks were discovered and reported by security researchers at Wordfence.
How are the attacks against nearly 1 million WordPress sites possible?
The answer to this question is rather simple, and the scenario has been seen in many other similar attacks against WordPress sites. The attacks have been possible because of unpatched vulnerabilities in WordPress plugins and themes.
Moreover, some of the abused vulnerabilities have been exploited in previous attacks. Here is a list of the security flaws the attackers leveraged against the vulnerable WordPress sites, as given by the Wordfence team:
1. An XSS vulnerability in the Easy2Map plugin, which was removed from the WordPress plugin repository in August of 2019, and which we estimate is likely installed on less than 3,000 sites. This accounted for more than half of all of the attacks.
2. An XSS vulnerability in Blog Designer which was patched in 2019. We estimate that no more than 1,000 vulnerable installations remain, though this vulnerability was the target of previous campaigns.
3. An options update vulnerability in WP GDPR Compliance patched in late 2018 which would allow attackers to change the site’s home URL in addition to other options. Although this plugin has more than 100,000 installations, we estimate that no more than 5,000 vulnerable installations remain.
4. An options update vulnerability in Total Donations which would allow attackers to change the site’s home URL. This plugin was removed permanently from the Envato Marketplace in early 2019, and we estimate that less than 1,000 total installations remain.
5. An XSS vulnerability in the Newspaper theme which was patched in 2016. This vulnerability has also been targeted in the past.
How to protect your WordPress site
Since the number of attacked websites is enormous, reaching almost 1 million, it is highly likely that your WordPress is either compromised or at risk.
To avoid any issues, make sure that all your plugins are updated regularly. You can also delete any plugins that have been removed from the WordPress plugin repository. Another useful tip provided by the security team is running a Web Application Firewall to help protect your site against any vulnerabilities that might have not yet been patched.