It has been found that a critical flaw was present in WordPress plugins which made the websites vulnerable to attacks. According to WordFence, there was a bug in one of the WordPress plugins which allowed attackers to create admin accounts without the knowledge of the website owners. After that, the attackers used those accounts to hack into the websites and compromise data or disrupt servers on which they were hosted.
Not only that, payloads have also been obfuscated by the attackers so that WAF and IDS software is not able to detect and remove them. WordFence also found out where the attacks were “originating from and they have identified various IP addresses linked to web hosting providers”. Since the discovery, most of this IP addresses have been ceased except one.
WordFence says that “The IP address in question is 220.127.116.11, a Rackspace server currently hosting some presumably compromised websites. We have reached out to Rackspace to inform them of this activity, in hopes that they will take action in preventing further attacks from their network. We have not yet heard back.”
WordFence also advises website owners that it is great to keep your plugins updated. “As always, updating the plugins and themes on your WordPress site is an excellent layer of defence against campaigns like these. Check your site for needed updates frequently to ensure you’re receiving the latest patches as they’re released. Wordfence users periodically receive emails informing them when updates are available as well.”