Millions of WordPress accounts and websites were targeted in the last 24 hours as part of a major cyber attack with the aim of obtaining credentials and other sensitive data.
The hackers behind the attack were trying to download a specific file called wp-config.php from WordPress websites since they contain crucial information such as database credentials, connection info, authentication unique keys, salts, and more.
They tried to exploit vulnerabilities in WordPress plugins and themes such as cross-site scripting (XSS). This was done to gain access to credentials and ultimately take over the websites completely. However, QA engineer and threat analyst Ram Gall explained in a blog post how the attackers failed to do so thanks to the Wordfence Firewall.
Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files. The peak of this attack campaign occurred on May 30, 2020. At this point, attacks from this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem.
Security researchers at WordFence were able to link this attack to a previous one where hackers with 20,000 different IPs tried to install backdoors and redirect users to malicious websites. They launched nearly 20 million attacks on over hundred of thousands of websites.
As with every other hacking case, WordPress site owners can protect their platforms by keeping their plugins and themes up to date by applying the latest patches released by creators. Outdated themes and plugins should also be removed for the sake of security since they are no longer maintained.