A hacker group tried to hijack 900,000 WordPress sites over the last week

A hacker group has attempted to hijack nearly one million WordPress sites in the last seven days, according to a security alert issued today by cyber-security firm Wordfence.

The company says that since April 28, this particular hacker group has engaged in a hacking campaign of massive proportions that caused a 30x uptick in the volume of attack traffic Wordfence has been tracking.

“While our records show that this threat actor may have sent out a smaller volume of attacks in the past, it’s only in the past few days that they’ve truly ramped up,” said Ram Gall, QA engineer at Wordfence.

Gall says the group launched attacks from across more than 24,000 distinct IP addresses and attempted to break into more than 900,000 WordPress sites.

The attacks peaked on Sunday, May 3, when the group launched more than 20 million exploitation attempts against half a million domains.

Gall says the group primarily exploited cross-site scripting (XSS) vulnerabilities to plant malicious JavaScript code on websites, to redirect incoming traffic to malicious sites.

The malicious code also scanned incoming visitors for logged-in administrators and then attempted to automate the creation of backdoor accounts via the unsuspecting admin users.

Wordfence says the hackers used a broad spectrum of vulnerabilities for their attacks. The different techniques observed over the last week are detailed below:

1. An XSS vulnerability in the Easy2Map plugin, which was removed from the WordPress plugin repository in August of 2019. Wordfence says exploitation attempts for this vulnerability accounted for more than half of the attacks, despite the plugin being installed on less than 3,000 WordPress sites.
2. An XSS vulnerability in Blog Designer which was patched in 2019. Wordfence says this plugin is roughly used by 1,000, and that this vulnerability was also the target of other campaigns.
3. An options update vulnerability in WP GDPR Compliance patched in late 2018 which would allow attackers to change the site’s home URL in addition to other options. Although this plugin has more than 100,000 installations, Wordfence estimated that no more than 5,000 vulnerable installations remain.
4. An options update vulnerability in Total Donations which would allow attackers to change the site’s home URL. This plugin was removed permanently from the Envato Marketplace in early 2019, but Wordfence says that less than 1,000 total installations remain.
5. An XSS vulnerability in the Newspaper theme which was patched in 2016. This vulnerability has also been targeted in the past.

However, Wordfence also warns that the threat actor is sophisticated enough to develop new exploits and is likely to pivot to other vulnerabilities in the future.

WordPress website owners are advised to update themes and plugins they have installed on their sites, and, optionally, install a website application firewall (WAF) plugin to block attacks, if they might get targeted.