TL;DR
- An attack on 1.6 million WordPress sites highlighted the vulnerability of poorly maintained installations.
- Automated attacks exploited vulnerabilities in plugins and themes.
- We’ll show you the lessons learned and minimum security measures.
- Benefits: Protection against SEO damage and data loss for your SME.
In a nutshell:
- An attack on 1.6 million WordPress sites in 2024 demonstrated just how vulnerable poorly maintained installations are.
- The attacks were automated, and the consequences ranged from SEO damage to data loss.
- We’ll show you what lessons SMEs can learn from this and what minimum security measures are mandatory today.
Approximately 1.6 million WordPress websites were the target of a large-scale attack campaign in which security vulnerabilities in four plugins and 15 Epsilon Framework themes were specifically exploited from 16,000 different IP addresses.
According to Wordfence, a WordPress security firm that published details on the attacks, more than 13.7 million attacks targeting the plugins and themes were detected and blocked within 36 hours; these attacks aimed to take over the websites and execute malicious functions.
Operators of WordPress websites using any of the aforementioned plugins or themes are therefore urged to install the latest patches to minimize the risk of an attack.
The following plugins are affected by the attack
- Kiwi Social Share (<= 2.0.10)
- WordPress Automatic (<= 3.53.2)
- Pinterest Automatic (<= 4.14.3)
- PublishPress Capabilities (<= 2.3)
The affected Epsilon Framework themes and their corresponding versions are as follows.
Patches were released for some of these as early as November 2018.
- Activello (<=1.4.1)
- Affluent (<1.1.0)
- Allegiant (<=1.2.5)
- Antreas (<=1.0.6)
- Bonkers (<=1.0.5)
- Brilliance (<=1.2.9)
- Illdy (<=2.1.6)
- MedZone Lite (<=1.2.5)
- NatureMag Lite (no known patch available)
- NewsMag (<=2.4.1)
- Newspaper X (<=1.3.1) Pixova Lite (<=2.0.6)
- Regina Lite (<=2.0.5)
- Shapely (<=1.2.8)
- Transcend (<=1.1.9)
In most cases of attacks observed by Wordfence, the attacker changes the “users_can_register” option (i.e., anyone can register) to “enabled”.
And sets the “default_role” setting (i.e., the default role for users who register on the blog) to “administrator.”
This allows the attacker to register as a privileged user on the compromised sites and take control.
The attacks are said to have increased significantly only after December 8. This suggests that the recently patched vulnerability in PublishPress Capabilities may have encouraged attackers to target various Arbitrary Options Update vulnerabilities as part of a large-scale campaign, according to Chloe Chamberland of Wordfence.
Conclusion
All customers who have a “WordPress Maintenance Contract” with us have nothing to worry about. We perform regular updates on your WordPress website. This keeps the website secure, minimizes the risk of a hack, and allows you to immediately take advantage of the latest CMS features.