The popularity of Wordpress, the world’s most widely used content management system, continues to make it a target for hackers and cyber criminals. It's a natural target because if a hacker breaks into one site they can probably break into many tens or even hundreds of thousands of other Wordpress sites using the same hack. Attacks continue to rise and earlier this month a group attacked nearly one million WordPress sites according to cyber-security firm Wordfence. The company reported that this particular hacker group engaged in a campaign of massive proportions:

“While our records show that this threat actor may have sent out a smaller volume of attacks in the past, it's only in the past few days that they've truly ramped up. The group launched attacks from across more than 24,000 distinct IP addresses and attempted to break into more than 900,000 WordPress sites with more than 20 million exploitation attempts against half a million domains. The group primarily exploited cross-site scripting (XSS) vulnerabilities to plant malicious JavaScript code on websites, to redirect incoming traffic to malicious sites. The malicious code also scanned incoming visitors for logged-in administrators and then attempted to automate the creation of backdoor accounts via the unsuspecting admin users.” Ram Gall, QA engineer at Wordfence.

Hackers generally target the many plugins and themes used by Wordpress developers which, whilst often a cheap and quick solution for a developer, can be poorly written with inherent vulnerabilities or badly maintained with out of date security patches. The recent attacks for example targeted many such plugins including Easy2Map, Blog Designer, WP GDPR Compliance, Total Donations and the Newspaper theme.

Vulnerabilities have also been uncovered in the PageLayer plugin, which is used by lots of sites to build web pages with a user friendly drag-and-drop mechanism, that could allow hackers to hijack the more than 200,000 websites that use it. The bugs could be used by hackers to perform all manner of malicious activities, including creating admin accounts, funnelling visitors to dangerous domains, invading a user’s computer via the web browser, inject rigged code, change site content and even erase all content.

“One flaw allowed any authenticated user with subscriber-level and above permissions the ability to update and modify posts with malicious content, amongst many other things. A second flaw allowed attackers to forge a request on behalf of a site’s administrator to modify the settings of the plugin which could allow for malicious Javascript injection.”

The flaws were discovered on 30th April and PageLayer subsequently issued a patch on the 6th May, however only around 85,000 users updated to the latest version in the following 3 weeks, leaving some 120,000 still at risk. Wordfence warned that the group is sophisticated enough to develop new techniques and could potentially target other vulnerabilities in the future and advised WordPress website owners to update any themes and plugins they have installed on their sites.