Attack targeted database credentials on 1.3 million WordPress sites


A massive attack at the end of May targeted the database credentials of some 1.3 million WordPress sites.

According to a recent Wordfence blog post, the attack took place between May 29 and May 31 and was stopped by the Wordfence Firewall, which blocked more than 130 million attacks.

Ram Gall, QA engineer and threat analyst at Wordfence, said the attacks from this campaign accounted for 75 percent of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem.

“What we found is that the vast majority of the attacks are on outdated plugins and website themes,” said Gall. “Typically what we’ve seen in these cases is that the attackers gain access to the website databases through the outdated plugins. They then can redirect site visitors to malicious advertising sites, which can be adult sites, online gaming or betting, or even pharmaceutical or other consumer items.”

Gall points out that Wordfence does not know the full motivation of the attackers in this case. However, he did say by redirecting site visitors to malicious advertising sites, the attackers stood to gain financially, mostly from being paid a fee by the malicious sites for access to unsuspecting site visitors.

Bryan Murphy, director of consulting services at CyberArk, added that by going after database credentials, attackers can gain entry to everything stored on the site and do whatever they want, including stealing the data or simply deleting it.

Murphy said too many organizations make the mistake of using over-privileged accounts with full administrative access to connect websites to databases. He says they need to reduce the privileges, granting only the ability to “read” or “write” data to only a specific locations in the database.

“So if somebody enters the site looking to steal information, they should be able to input searches and interact, but they can’t manipulate if there are good input validation controls or without write/administrative privileges,” Murphy said. “And by only allowing write access to specific tables in the database with input validation, the hacker can’t have full access to all data.”

Wordfence’s Gall said sites running Wordfence are protected against these types of campaigns. He says organizations should start by updating all their plugins and themes and keep them updated regularly. Companies not running Wordfence that believe they’ve been compromised should change their database password and authentication unique keys and salts.

“Even if your site does not allow remote database access, an attacker who knows your site’s authentication keys and salts may be able to use them to more easily bypass other security mechanisms,” said Gall.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.