Be Warned: There’s A Surge in XSS Attacks against WordPress Sites

Be Warned: There's A Surge in XSS Attacks against WordPress Sites article imageDid you know that more than 500 sites are built daily using WordPress? In comparison, only 60-80 sites per day are built on platforms such as Shopify and Squarespace. As we have said many times, WordPress has a 60.8% market share in the CMS (content management system) market, while powering 14.7% of the world’s top websites. However, the popularity and wide adoption of WordPress has its downsides.

While becoming more widespread, WordPress is also becoming more targeted by malicious hackers. Wordfence researchers recently detected a 30-times increase in specific attacks, called cross site scripting, shortly called XSS attacks. XSS attacks can be described as a type of injection, in which malicious scripts are injected into trusted websites.

A Surge in XSS Attacks against WordPress Sites

Not only are XSS attacks seemingly growing but they are also being carried out by the same threat actors. We wrote about these attacks: 900,000 WordPress websites were targeted.

The purpose of the attacks was to either redirect website visitors to malvertising pages, or infect them with a backdoor in case an administrator is logged in.

According to the Wordfence research team, most of these attacks are likely caused by a single threat actor, based on the deployed payload. The payload in question is a malicious JavaScript that redirects visitors and takes advantage of an administrator’s session to drop a backdoor into the WordPress theme’s header.

This was registered at the beginning of May. How does the picture look now?

As of May 11, 2020, attacks by this same threat actor have once again ramped up, and are ongoing. This attacker has now attacked over 1.3 million sites in the past month. As of May 12, 2020, attacks by this threat actor have outpaced all other attacks targeting vulnerabilities across the WordPress ecosystem, the researchers report.

Furthermore, it seems that these newer attacks are targeting the same vulnerabilities, “with a heavy focus on older XSS vulnerabilities”. This is yet another reminder of how important it is to keep everything up-to-date – WordPress itself as well as its plugins, themes, etc.

It is also worth mentioning that Wordfence Threat Intelligence team has been able to link these malicious hackers to previous attacks with payloads hosted at domains such as collectfasttracks[.]com and destinyfernandi[.]com.

Attacks against WordPress Sites Are Getting More Sophisticated

WordPress site owners and admins should note that these hackers are continuing with their malicious campaigns which increases the attack volume. In other words, these attackers are getting more aggressive. Here are some statistics to illustrate this claim:

The earliest attacks containing the destinyfernandi[.]com payload occurred on February 9th and 10th, 2020 and targeted over 200,000 sites with 3.8 million requests. On March 14 and 15, 2020, attacks containing the collectfasttracks[.]com payload ramped up and targeted over 500,000 sites with more than 7 million requests. That is an approximate doubling in attack volume and number of sites targeted from February to March.

Apparently, this hacker collective has even fixed a bug in the previous version of its PHP backdoor. They also added two more backdoor variants. The additional backdoors now allow attackers to maintain access to the compromised site, even in cases when the payload URL is taken down due to an abuse complaint, Wordfence says.

What Should You Do to Protect Your WordPress Site?

The most important rule is to updated all outdated WordPress plugins or themes. Another thing to do is deactivating and deleting any plugins installed that were removed from the official WordPress repository.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree