Over 1.3 billion WordPress website’s database was accessed by the attackers using ‘wp-config.php’ file
WordPress is a very popular content management system and about 75 million websites run on it. WordPress has 55,000+ WordPress plugins present in the official WordPress repository, and about 50,000 more just outside it. Previously, researchers found flaws in the two plugins that had a risk of wiping 200,000+ WordPress site databases. A threat actor that attempted to insert a backdoor into nearly a million WordPress-based sites in early May (and continued to try throughout the month), tried to grab WordPress configuration files of 1.3 million sites at the end of the same month
The previously reported XSS campaigns sent attacks from over 20,000 different IP addresses. The new campaign is using the same IP addresses, which accounted for the majority of the attacks and sites targeted. This campaign is also attacking nearly a million new sites that weren’t included in the previous XSS campaigns
said the researcher
The main goal of the attacker was to gain access to the wp-config-php file, which contains database credentials, connection information, authentication keys, and salts.
An attacker with access to this file could gain access to the site’s database, where site content and users are stored
the researcher further added
However, the researcher was not able to find what plugins were used by the attacker to access the configuration file but said that the flaw mainly resided in the theme and plugins that allow file downloads by reading the content of a file requested in a query string and then serving it up as a downloadable attachment.
Site admins can check their server logs for log entries containing wp-config.php in the query string that returned a 200 response code. If they find them and data has been transferred, chances are their site(s) have been compromised by these attackers. If your site is hit then we suggest you update the wp-config.php first and then change the password of your database.
Well again the flaws have been found in the plugins of the WordPress websites, so we recommend you update your WP plugins regularly and delete those that are not required. To stay updated on Tech and Cybersecurity news subscribe to our newsletter from here