Millions of WordPress sites have been probed and attacked this week, Defiant, the company behind the Wordfence web firewall said on Friday.
The sudden spike in attacks happened after hackers discovered and started exploiting a zero-day vulnerability in “File Manager,” a popular WordPress plugin installed on more than 700,000 sites.
It’s unclear how hackers discovered the zero-day, but since earlier this week, they began probing for sites where this plugin might be installed.
If a probe was successful, the attackers would exploit the zero-day and upload a web shell disguised inside an image file on the victim’s server. The attackers would then access the web shell and take over the victim’s site, ensnaring it inside a botnet.
Millions of sites have been probed, attacked
“Attacks against this vulnerability have risen dramatically over the last few days,” said Ram Gall, Threat Analyst at Defiant.
The attacks started slow, but intensified throughout the week, with Defiant recording attacks against 1 million WordPress sites, just on Friday, September 4.
In total, Gall says Defiant blocked attacks against more than 1.7 million sites since September 1, when the attacks were first discovered.
The 1.7 million figure is more than half of the number of WordPress sites using the Wordfence web firewall. Gall believes the true scale of the attacks is even much larger, as WordPress is installed on hundreds of millions of sites, all of which are probably being gradually probed and hacked.
The good news is that the File Manager developer team created and released a patch for the zero-day on the same day it learned about the attacks. Some site owners have installed the patch, but, as usual, others are lagging behind.
It is this slowness in patching that has recently driven the WordPress developer team to add an auto-update feature for WordPress themes and plugins. Starting with WordPress 5.5, released last month, site owners can configure plugins and themes to auto-update themselves every time a new update is out and make sure their sites are always running the latest version of a theme or plugin and staying safe from attacks.