Thousands of WordPress websites hit in new malware attack, here's what we know

News
By
published

No one is quite sure how the sites got infected with malware

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
(Image credit: Shutterstock/monticello)
  • Security researchers find more than 5,000 websites carrying a piece of malicious code
  • The malware installs a plugin that steals login credentials and sensitive data
  • The researchers recommended a number of mitigation measures

Thousands of WordPress websites were observed running malware able to create a rogue admin account and exfiltrated sensitive data through malicious plugins.

A new report from security researcher Himanshu Anand from c/side claims said at least 5,000 WordPress websites were found hosting a malicious script that creates an unauthorized admin account with a username and password that can be found in the code.

After creating the account, the script will download a malicious WordPress plugin, and run it. The plugin, which wasn’t named, is tasked with exfiltrating sensitive data to a remote server. The data being pulled includes admin credentials and operation statuses, it was added.

How to defend

The researchers could not determine exactly how the malicious code ended up on these websites.

“So far, we haven't identified a common denominator, and our investigation is ongoing,” Anand said.

Those interested in double-checking if their website is secure or not should visit one of these websites, the researcher advised:

- PublicWWW.com
- URLScan.io

To defend against the attacks, c/side recommends blocking the domain https://wp3[.]xyz in firewalls or security tools, auditing WordPress admin accounts for unauthorized users, removing suspicious plugins and validating existing ones, and strengthening CSRF protections and implementing multi-factor authentication (MFA). Ultimately, they recommend using c/side’s services, too.

Being the most popular website builder on the planet, WordPress is constantly being targeted by threat actors. However, since the platform is secure for the post part, attackers are focused on third-party plugins and themes, especially free-to-use ones, which often don’t have the right software support.

As a general rule of thumb, businesses should only use plugins and themes from reputable sources and with a strong supporting community. They should also make sure to uninstall any plugins they are not using, and to keep the remaining ones up to date.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.