Massive Attack Against 1.6 Million WordPress Websites

Wordfence reported a series of attacks that occurred the week of December 5th, resulting in 1.6 million WordPress websites being affected. The reported attacks came from over 16,000 IP’s over a total of 36 hours. Wordfence reported blocking more than 13.7 million attacks.

Targeted Plugins and Themes

Four WordPress plugins were targeted, and 15 Epsilon Framework themes were included in these targeted attacks. The four affected plugins include the following:

  • PublishPress Capabilities
  • Kiwi Social Plugin
  • Pinterest Automatic
  • WordPress Automatic

The 15 affected Epsilon Framework themes include the following:

  • Shapely
  • NewsMag
  • Activello
  • Illdy
  • Allegiant
  • Newspaper X
  • Pixova Lite
  • Brilliance
  • MedZone Lite
  • Regina Lite
  • Transcend
  • Affluent
  • Bonkers
  • Antreas
  • NatureMag Lite

The targeted plugins have patches dating back to 2018, with some vulnerabilities addressed just last week. Kiwi Social Share has been patched since November 2018, WordPress Automatic and Pinterest Automatic since August 2021, and PublishPress Capabillities in early December of this year. Out of the affected Framework themes, NatureMag Lite does not have an available patch. Wordfence recommends users update their plugins and themes as soon as possible, and immediately uninstall NatureMag Lite.

What to do

The first step towards protecting your websites from this attack, is to first review your user accounts to see if there are any unauthorized user accounts. Attackers were updating the users_can_register option to enabled, and setting the default_role option to “administrator.” That made it possible to register on any selected site as an administrator and wreak some major havoc. If you see any unknown user accounts, remove them immediately. They can’t sit here.

Next, review your site settings and revert your settings back to their original state. In addition, Wordfence recommends not using “Administrator” as the default role. Attackers were registering on vulnerable sites as an Administrator, which is how these problems started in the first place.

How We Can Help

All of this can be pretty overwhelming, and time consuming. But maintaining and protecting your site doesn’t have to be overwhelming. With one of Curious Minds’ WordPress maintenance plans, our team of developers are closely monitoring your site, so vulnerabilities and attacks, like this one, are detected early, and stopped. Contact us today to keep your website protected, and supported.

About Curious Minds
We are a web development firm in New York and Chicago, providing development resources and consulting for websites and mobile apps since 2004.