WordPress sites are enduring 30 times more attacks than normal, as reported by Defiant. It has been observed that attack attempts were made on more than 900,000 websites since April 28, 2020.
What is happening?
The majority of the attacks are suspected to be from the same threat actor. The same group is also potentially linked to targeting older known vulnerabilities in WordPress. There were more than 20 million attacks on 3rd May against 500,000 sites. Since the last month, approximately 24,000 distinct IP addresses have been detected that were attempting to launch the attacks.
The current situation
The attacks exploiting XSS vulnerabilities are primarily focused on planting a backdoor on the targeted sites. The backdoor payload will add a malicious JavaScript to every page on the site.
For the non-XSS attacks, visitors are being attempted to be redirected to the same malvertising campaign by changing the URL of the home page of the site.
What the experts are saying
Ram Gall, a QA engineer at Defiant, has statedthat it is apparent from the variety and volume of the attacks that this is not a targeted campaign. The only motivation for this campaign seems to be monetization.
Defiant has warned that this large-scale campaign can easily shift to other targets.
WordPress plug-ins are a critical third-party risk since more than 70% of the scripts on a website are third-party.
What you can do
Delete and deactivate the plug-ins that have been removed from the WordPress repositories.
Run a web application firewall.
More insights
IOCshave been provided by Wordfence that can be used by site admins to check if they were targeted.
Wordfence users are protected from XSS attacks.
More than half of the attacks were accounted for by Easy2Mapplugin that was removed from the repository last year in August. This plugin is most likely installed on nearly 3000 sites.
In essence
The takeaway is that all plug-ins should be updated. A layered security approach is the need of the hour.