Researchers caught a recent malicious campaign targeting more than a million WordPress websites. As discovered, the hackers targeted all these WordPress Sites to harvest database credentials.
Hackers Target WordPress Sites In A Campaign
Team Wordfence has recently disclosed an orchestrated campaign by hackers targeting numerous WordPress sites.
As revealed in their recent blog post, the team detected over 130 million attacks within three days at the end of May 2020. These attacks collectively targeted around 1.3 million WordPress sites aiming to download their configuration files.
Among these attacks, Wordfence noticed that the attacks potentially linked back to the same hacker. The researchers detected the same IP addresses behind the attacks.
Briefly, the researchers observed the following IP addresses predominantly involved in the campaign.
- 25.60.53
- 60.254.42
- 255.79.47
- 58.123.231
- 131.251.113
- 165.195.184
- 170.19.251
- 80.22.75
- 190.140.8
- 254.68.134
Whereas, the campaign involved the exploitation of XSS bugs in WordPress plugins.
Explaining further, the researchers stated,
The attackers are attempting to download wp-config.php, a file critical to all WordPress installations which contains database credentials and connection information, in addition to authentication unique keys and salts.
In the past, the researchers have pointed out countless vulnerable WordPress plugins that could risk websites.
What Should You Do?
For WordPress admins who suspect a compromise of their websites, researchers have advised changing database passwords, authentications keys and salts.
It is because, in case of a compromise, and if the site allows remote database access, the hackers, using all the stolen details, could meddle with the site in any possible way. This includes creating admin accounts, stealing data, and even deleting the target site.
Whereas, for sites that do not allow remote database access, the hackers can still exploit the authentications keys and salts to bypass security mechanisms.
To check for a possible hacking attack, here’s what Wordfence advises,
Attacks by this campaign should be visible in your server logs. Look for any log entries containing wp-config.php in the query string that returned a 200 response code.
Let us know your thoughts in the comments.