WordPress is the most popular content management system which is based on PHP and MySQL. A recent study revealed that WordPress-associated vulnerabilities have seen a 30% increase in 2018 when compared to the previous year. The number of vulnerabilities related to WordPress recorded in 2018 was 542.

Moreover, most of these vulnerabilities, almost 98% were related to WordPress plugins and only 2% of the vulnerabilities were found in the WordPress code. A vulnerability in WordPress plugin could allow attackers to access thousands of sites. The plugin architecture is the major reason people choose WordPress, however, out-of-date plugins are an excellent bait for attackers to compromise WordPress sites.

In this blog, we will be highlighting some of the massive attacks that involved compromise of WordPress sites.

#1. Over 1.5 million WordPress sites were hacked due to a critical vulnerability

A critical vulnerability was detected in the WordPress version 4.7.2. The developers of CMS reported the zero-day vulnerability in WordPress and patched three vulnerabilities including SQL injection, cross-site scripting, and access control bug.

However, one week later, the CMS developers reported that WordPress account had been hacked as the vulnerability was not patched in many sites. This allowed attackers to exploit the vulnerability and modify the content of any page or post on a targeted site.

The vulnerability was exploited to carry out four different defacement campaigns.

• The first campaign exploiting this vulnerability hacked WordPress sites within 48 hours after disclosure.
• In the second campaign, attackers exploited this vulnerability to modify the content of over 60,000 web pages and replaced them with ‘hackedby’ messages.
• The other campaigns hacked nearly 1000 WordPress pages.

Apart from defacement campaigns, researchers also spotted SEO spam campaigns leveraging this WordPress vulnerability. Overall, researchers revealed that 1.5 million WordPress sites were hacked.

#2. WordPress plugin used to hack more than 200,000 websites

A WordPress Plugin named ‘Display Widgets’ has been used to install a backdoor on WordPress sites. The WordPress team removed the ‘Display Widgets’ plugin from the Official WordPress Plugins repository. However, the plugin was installed on more than 200,000 sites.

The plugin has been removed from Official WordPress Plugins repository four times.

• The first version of the plugin v2.6.0 broke WordPress plugin rules by downloading over 38MB code from a third-party server. The 38 MB code contained tracking features that logged traffic on websites using this version. The extra code collected data such as user IP addresses, user strings, the domain where the data was collected, and the page the user was viewing and sent this collected information to the third-party server. The plugin was removed from the repository for the aforementioned reasons.
• The second version v2.6.1 integrated the 38MB file inside the plugin to avoid downloading files from third-party servers and avoid breaking WordPress plugin rules. However, this version contained a backdoor that allowed the plugin’s owner to connect to remote sites and create new pages or posts. This version was removed from the repository.
• The third version v2.6.2 created new pages where it inserted spammy links to other sites. Moreover, the plugin also hid these spammy pages from logged in users. The plugin was removed for the third time.
• The fourth version v2.6.3 was also malicious and was removed from the repository as it inserted spammy links into other sites.

#3. Brute-force attack targets over 190,000 WordPress sites/hour

In December 2017, a massive brute-force attack campaign targeted WordPress sites with Monero miners. The attackers brute-forced WordPress admin account logins to install a Monero miner on compromised sites. The WordPress security firm Wordfence stated that this was the biggest brute-force attack the company was forced to mitigate since its birth in 2012.

The brute-force attacks peaked at 14.1 million requests per hour. Brute-force requests originated from over 10,000 unique IP addresses and targeted around 190,000 WordPress sites per hour. In this Brute-force campaign, the attackers earned over $100,000 worth of Monero.

#4. United Nation WordPress site exposed over thousands of resumes online

The United Nations WordPress website that contained resumes of job applicants since 2012 was breached compromising thousands of resumes. The breach was caused by two vulnerabilities that were discovered in one of the UN’s WordPress websites. The two vulnerabilities included a path disclosure vulnerability and an information disclosure vulnerability. These vulnerabilities could have allowed attackers to gain access to the directory index that documented the job applications by conducting Man-in-the-Middle (MITM) attacks.