Wordfence analysts report that they have detected a massive attack originating from 16,000 IPs and targeting over 1.6 million WordPress sites in the last few days.
Today, December 9, 2021, the Threat Intelligence team noticed an exponential increase in attacks targeting vulnerabilities that allow attackers to update arbitrary options on vulnerable sites. In response, we conducted an investigation and uncovered an active attack targeting more than one million WordPress sites. In the past 36 hours, Wordfence blocked over 13.7 million attacks targeting four different plugins and multiple Epsilon Framework themes, originating from over 16,000 different IP addresses on over 1.6 million sites.
The threat group targets four WordPress plugins and 15 Epsilon Framework themes, one of which has no available patches.
Some of the targeted plugins had been patched throughout 2018, while others had their vulnerabilities addressed only this week.
The affected plugins and their versions are
- PublishPress Capabilities
- Kiwi Social Plugin
- Pinterest Automatic
- WordPress Automatic
The target Epsilon Framework themes are as follows
- Newspaper X
- Pixova Lite
- MedZone Lite
- Regina Lite
- NatureMag Lite – No Patch
In most cases, the attacker updates the users_can_register option to enabled and sets the default_role option to administrator
This allows the attacker to register as an administrator on any site and effectively take over the site.
Check, update, delete
To see if your site has already been compromised, check all your user accounts for any unauthorized additions that should be removed immediately.
Next, go to “http://examplesite[.] com/wp-admin/options-general.php”, and check the “Membership” and “Default role settings for new users”.
We recommend that you update your plugins and themes as soon as possible, even if they are not in the above list.
If you are using NatureMag Lite for which no fix exists, please uninstall it immediately.
In addition, if your site has already been compromised, updating the plugin will not remove the threat.
In this case, it is recommended to follow the instructions in the detailed cleanup guide first.
Normally, deleting everything in the wp-content/plugins/ directory will not result in any data loss or site corruption. This is because these are plugin files that can be reinstalled, and WordPress will automatically detect if you have deleted a plugin and disable it.
Just be sure to delete the entire wp-content/plugins directory, not individual files. For example, if you want to remove the Wordfence plugin, you need to delete wp-content/plugins/wordfence and all the files in that directory.
Simply deleting some files of the plugin will cause the site to stop working.
Normally, there is only one theme directory used for a site, in the wp-content/themes directory.
Once you know this directory, you can delete all other theme directories.
If you are using a “child theme”, please note that you may be using two directories in wp-content/themes.
It is unlikely that new files will be added to the wp-admin and wp-includes directories.
So, if you find something new in these directories, it is likely to be malicious.
Beware of old WordPress installations and backups
Beware of old WordPress installations and backups.
Why was my site hacked if I had kept it up to date and installed security plugins? In these cases, the developer may have backed up a copy of all site files to a subdirectory such as /old/ that is accessible from the web.
This backup is unmanaged, and even if the main site is secure, hackers can get in there, infect it, and access the main site through a planted backdoor.
So don’t leave your old WordPress unattended, and if you are hacked, check them first as they are likely to have malware in them.
In general, you should try to keep the number of plugins on your WordPress site to a minimum. Doing so will dramatically reduce your chances of being targeted or hacked in the first place.