- Security researchers find more than 5,000 websites containing malicious code
- The malware installs a plugin that steals login credentials and sensitive data.
- The researchers recommended a series of mitigation measures.
Thousands of WordPress websites were observed running malware capable of creating a fraudulent administrator account and exfiltrating sensitive data through malicious plugins.
A new report from security researcher Himanshu Anand of c/side claims that at least 5,000 WordPress websites were found to be hosting a malicious script that creates an unauthorized administrator account with a username and password that can be found in the code.
After creating the account, the script will download a malicious WordPress plugin and execute it. The plugin, which was not named, is tasked with leaking sensitive data to a remote server. The data that is extracted includes administrator credentials and operating statuses, it was added.
how to defend
Researchers were unable to determine exactly how the malicious code ended up on these websites.
“So far, we have not identified a common denominator and our investigation is ongoing,” Anand said.
Those interested in checking whether their website is safe or not should visit one of these websites, the researcher recommended:
– PublicWWW.com
-URLScan.io
To defend against attacks, c/side recommends blocking the domain https://wp3[.]xyz in firewalls or security tools, auditing WordPress admin accounts for unauthorized users, removing suspicious plugins and validating existing ones, and strengthening CSRF protections and implementing multi-factor authentication (MFA). Ultimately, they also recommend using the services of c/side.
Being the most popular website builder on the planet, WordPress is constantly attacked by threat actors. However, since the platform is secure for the publishing side, attackers focus on third-party plugins and themes, especially free-to-use ones, which often do not have proper software support.
As a general rule, businesses should only use plugins and themes from trusted sources and with a strong support community. They should also make sure to uninstall any plugins they are not using and keep any remaining ones updated.
