WordPress Sites Under Constant Attack

What is happening?

The current situation

• The attacks exploiting XSS vulnerabilities are primarily focused on planting a backdoor on the targeted sites. The backdoor payload will add a malicious JavaScript to every page on the site.
• For the non-XSS attacks, visitors are being attempted to be redirected to the same malvertising campaign by changing the URL of the home page of the site.

What the experts are saying

• Ram Gall, a QA engineer at Defiant, has stated that it is apparent from the variety and volume of the attacks that this is not a targeted campaign. The only motivation for this campaign seems to be monetization.
• Defiant has warned that this large-scale campaign can easily shift to other targets.
• WordPress plug-ins are a critical third-party risk since more than 70% of the scripts on a website are third-party.

What you can do

• Delete and deactivate the plug-ins that have been removed from the WordPress repositories. 
• Run a web application firewall. 

More insights

• IOCs have been provided by Wordfence that can be used by site admins to check if they were targeted.
• Wordfence users are protected from XSS attacks.
• More than half of the attacks were accounted for by Easy2Map plugin that was removed from the repository last year in August. This plugin is most likely installed on nearly 3000 sites.

In essence