More than one million WordPress sites attacked over the weekend of late May 2020

WordPress throughout its history has always found itself appearing in the news for its security vulnerabilities. The most recent vulnerability incident with WordPress is with a plugin call Page Builder by SiteOrigin.

Attackers mount a campaign over the weekend of 29 – 31 May against more than one million WordPress sites in an attempt to download wp-config.php, a file critical to all WordPress installations. This file contains sensitive information such as database credentials, connection information as well as unique authentication salt and keys. Therefore, anyone with access to the file could gain access to the database where the site content and users are stored.

To download that file, the attackers targeted cross-site scripting (XSS) vulnerabilities found in older plugins or themes that allow files to be downloaded or exported.

The attacks came from more than 20,000 IP addresses, which were also implicated in a previous attack that happened earlier in May 2020 used by the same threat actor.

The earlier attack targetted a different set of XSS vulnerabilities with the intention of having visitors redirected to malvertising sites. This set of vulnerabilities were found in plugins that have mostly been patched or plugins that have been removed from the WordPress plugin repository. Below is the list of plugins and their respective vulnerabilities that were popular with the attackers.

  • Easy2Map plugin — Removed from WordPress plugin repository due to XSS vulnerability
  • Blog Designer — XSS vulnerability that was patched in 2019
  • WP GDPR Compliance — Options update vulnerability that was patched in late 2018
  • Total Donations — Removed from Envato Marketplace permanently. It had a critical options update vulnerability.
  • Newspaper theme — XSS vulnerability that was patch in 2016.

The good news is that WordPress site owners who uses Wordfence are protected. According to Ram Gall at Wordfence, the Wordfence firewall blocked over 130 million attacks intended on harvesting database credentials.

How do you know if you were attacked?

The attack should be logged. You could look for any log entries that contain wp-config.php in the query string with the HTTP response code 200.

Below are the top 10 IP addresses used for this attack campaign.

  • 200.25.60.53
  • 51.255.79.47
  • 194.60.254.42
  • 31.131.251.113
  • 194.58.123.231
  • 107.170.19.251
  • 188.165.195.184
  • 151.80.22.75
  • 192.254.68.134
  • 93.190.140.8

What should you do next?

WordPress sites running Wordfence are protected from the attack. For the other users, you should change the database password and the unique authentication keys and salt immediately if you believe you are compromised.

The reason is simple.

WordPress servers that have been configured to allow remote database access could easily allow an attacker with the database credentials to add an administrative user, extract sensitive data or delete the site. Even if remote database access is not enabled, an attacker who knows the authentication keys and salts could bypass other security mechanisms that protect your site more easily.

And what if you are not comfortable making changes mentioned above?

Then you should contact your host or service provider since changing the database password without updating the wp-config.php file can render your site offline temporarily.

Last but not least, you should also update any plugins and themes. You may also want to consider changing the plugins or themes if these are no longer maintained by the original developers.


This article uses material from Wordfence.

Published by

Brandon Lim

I'm a software engineer and writing is my passion.

One thought on “More than one million WordPress sites attacked over the weekend of late May 2020”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s