There are millions of WordPress sites that have been probed and attacked last week, the firm behind the Wordfence web firewall said on Friday.
The attacks occured after they discovered and started exploiting a zero-day vulnerability in a plug-in called File Manager, a popular WordPress plugin installed on more than 800,000 WordPress sites throughout the world.
The zero-day was an unauthenticated file upload vulnerability “1, 2, 3” that allowed an attacker to upload malicious files on a
Website with the aim of running an older version of the File Manager plugin.
Now it is unclear how hackers discovered the zero-day, but since earlier this week, they began probing for sites where this plugin might be installed.
If a probe was successful, the attackers would exploit the zero-day and upload a web shell disguised inside an image file on the victim’s server. The attackers would then access the web shell and take over the victim’s site, ensnaring it inside a botnet.
Attacks against this vulnerability have risen dramatically over the last few days, said Ram Gall, Threat Analyst at Defiant.
The attacks started slow, but intensified throughout the week, with Defiant recording attacks against over one million WordPress sites, just on Friday, September 4, 2020.
In total, Gall says Defiant blocked attacks against more than 1.7 million sites since September 1, when the attacks were first discovered.
The 1.7 million figure is more than half of the number of WordPress sites using the Wordfence web firewall.
Gall believes the true scale of the attacks is even much larger, as WordPress is installed on hundreds of millions of sites, all of which are probably being gradually probed and hacked.
The good news is that the File Manager developer team created and released a patch for the zero-day on the same day it learned about the attacks. Some site owners have installed the patch, but, as usual, others are lagging behind.
It is this slowness in patching that has recently driven the WordPress developer team to add an auto-update feature for WordPress themes and plugins.
Starting with WordPress 5.5, released last month.
So it is very important if you are a site owners to set all of your plugins and themes to auto-update themselves every time a new update is outdated and make sure their sites are always running the latest version of a theme or plugin and staying safe from attacks.
The security company has also advised to uninstall the software completely if a user is not actively using the plugin.
“As a general rule, we recommend that you always have your firewall optimized. When zero day vulnerabilities like this are attacked, having an optimized firewall gives you a much better chance of preventing successful exploitation,” Gall said.