An ongoing malvertising campaign against millions of WordPress websites has been observed by researchers. This attack capitalizes on the vulnerabilities in the older plugins of WordPress to inject code in the compromised sites. It creates rogue WordPress admin accounts to gain complete control of the websites.
How does the attack work?
One IP address is behind most of the attacks
Researchers from Wordfence observed that the attacks were initially from multiple IP addresses. Later on, all the IP addresses stopped attacking except for one — 104[.]130[.]139[.]134, a Rackspace server that is believed to be hosting compromised websites.
How to protect your website from the attacks?
A report by Imperva states, “98% of WordPress vulnerabilities are related to plugins, which extend the functionality and features of a website or a blog. Anyone can create a plugin and publish it — WordPress is open-source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are prone to vulnerabilities.”
This means WordPress users and admins must ensure that the latest versions of plugins are installed on the websites. It is also recommended that WordPress admins enable two-factor authentication for an added layer of security.
According to John Opdenakker, an ethical hacker, “It’s certainly a good idea to use a web application firewall to help block cross-site scripting (XSS) attacks.”