The popularity of Wordpress, the world’s most widely used content management system, continues to make it a target for hackers and cyber criminals. It's a natural target because if a hacker breaks into one site they can probably break into many tens or even hundreds of thousands of other Wordpress sites using the same hack. Attacks continue to rise and earlier this month a group attacked nearly one million WordPress sites according to cyber-security firm Wordfence. The company reported that this particular hacker group engaged in a campaign of massive proportions:
Hackers generally target the many plugins and themes used by Wordpress developers which, whilst often a cheap and quick solution for a developer, can be poorly written with inherent vulnerabilities or badly maintained with out of date security patches. The recent attacks for example targeted many such plugins including Easy2Map, Blog Designer, WP GDPR Compliance, Total Donations and the Newspaper theme.
Vulnerabilities have also been uncovered in the PageLayer plugin, which is used by lots of sites to build web pages with a user friendly drag-and-drop mechanism, that could allow hackers to hijack the more than 200,000 websites that use it. The bugs could be used by hackers to perform all manner of malicious activities, including creating admin accounts, funnelling visitors to dangerous domains, invading a user’s computer via the web browser, inject rigged code, change site content and even erase all content.
The flaws were discovered on 30th April and PageLayer subsequently issued a patch on the 6th May, however only around 85,000 users updated to the latest version in the following 3 weeks, leaving some 120,000 still at risk. Wordfence warned that the group is sophisticated enough to develop new techniques and could potentially target other vulnerabilities in the future and advised WordPress website owners to update any themes and plugins they have installed on their sites.