A threat actor that attempted to insert a backdoor into nearly a million WordPress-based sites in early May (and continued to try throughout the month), tried to grab WordPress configuration files of 1.3 million sites at the end on the same month.
In both cases, the threat actor tried to exploit old vulnerabilities in outdated WordPress plugins and themes.
The latest attacks
“The previously reported XSS campaigns sent attacks from over 20,000 different IP addresses. The new campaign is using the same IP addresses, which accounted for the majority of the attacks and sites targeted. This campaign is also attacking nearly a million new sites that weren’t included in the previous XSS campaigns,” Wordfence threat analyst Ram Gall shared.
The goal of this latest campaign was to grab the wp-config-php file, which contains database credentials, connection information, authentication keys and salts.
“An attacker with access to this file could gain access to the site’s database, where site content and users are stored,” Gall pointed out.
He did not say which specific plugins and themes the attackers zeroed in on, but said that most of the vulnerabilities are in themes or plugins designed to allow file downloads by reading the content of a file requested in a query string and then serving it up as a downloadable attachment.
How to check whether your sites have been hit?
Blocking connections from all attack IP addresses should not be attempted, because there are simply too many, but doing it for the top 10 attacking IP addresses might be a good idea.
Site admins can check their server logs for log entries containing wp-config.php in the query string that returned a 200 response code. If they find them and data has been transferred, chances are their site(s) have been compromised by these attackers.
They should change their database password and authentication unique keys and salts immediately, but not without updating the WP configuration file first.
“If you’re not comfortable making [these changes], please contact your host, since changing your database password without updating the wp-config.php file can temporarily take down your site,” he warned.
It should go without saying that admins should regularly update plugins and delete does they don’t use anymore.