Reports are emerging that millions of WordPress websites are being targeted by hackers looking to leverage a potential vulnerability in the site’s use of plug-ins, security researchers have said.
WordPress is one of the most popular website platforms, with an estimated 500,000 million users worldwide.
The news comes from a company called Wordfence, who actually writes code for a popular plug-in used on WordPress. Last week, the company published a blog post stating that more than 700,000 WordPress users were affected by a zero-day vulnerability in the site’s file manager plug-in.
According to the team, “this vulnerability allowed unauthenticated users to execute commands and upload malicious files on a target site.”
For more information on an Information Security Management System like ISO 27001, click here for your Free Gap Analysis Checklist.
Ram Gall of WordFence writes that “attacks against this vulnerability have risen dramatically over the last few days. Wordfence has recorded attacks against over one million sites today, September 4, 2020. Sites not using this plugin are still being probed by bots looking to identify and exploit vulnerable versions of the File Manager plugin, and we have recorded attacks against 1.7 million sites since the vulnerability was first exploited.”
“Although Wordfence protects well over three million WordPress sites, this is still only a portion of the WordPress ecosystem. As such, the true scale of these attacks is larger than what we were able to record.”
The team at Wordfence say that if exploited, the vulnerability allows an outside, unauthorised third-party to take control of the site and upload potentially malicious files and software onto the system.
Security researchers say that WordPress users should install the latest version of the plug (version 6.9) to ensure the vulnerability is patched.
“If you are not actively using the plugin, uninstall it completely,” Mr Gall said. “Due to the breadth of file management functionality, this plugin provides a user within the wp-admin dashboard, we recommend uninstalling the plugin when it is not actively being used,” he said.