Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

This Week’s Top 20 Attacked Themes and Who is Attacking Them

This entry was posted in Research, Vulnerabilities, Wordfence, WordPress Security on August 9, 2016 by Mark Maunder   41 Replies

Today we’re publishing statistics on the attacks we are seeing on themes across the WordPress ecosystem. The Wordfence Firewall provides us with attack telemetry across a large number of sites that we protect. The data we’re sharing today is based on the following high level metrics:

  • An analysis of 15,949,826 total attacks across the past 7 days – from Monday August 1st to Monday August 8th (yesterday) on sites that Wordfence protects.
  • Attacks on 519,592 unique Wordfence customer websites.
  • Attacks originating from a total of 72,896 unique IPs. 

The “Theme Slug” below is a term used in WordPress parlance. It refers to the unique directory name that is created in the wp-content/themes/ directory for the theme when it is installed. This uniquely identifies themes in the WordPress ecosystem. To find out more about the theme, simply Google the ‘slug’.

The table shows the total attacks we recorded on that theme across all sites, the number of IPs that launched an attack on the theme and the number of unique sites that we recorded attacks for that targeted that theme. To be clear, that is not the number of sites actually running the theme. It’s simply the number of sites where someone tried to attack the theme, whether it was installed or not.

We explain why most of these themes are being attacked and what the “Bulk Disclosed” column means below the table.

Theme Slug Total attacks Unique IPs attacking Unique sites attacked Vulnerability Type Bulk Disclosed
churchope 172,782 2,055 63,115 LFI X
mTheme-Unus 163,644 2,303 90,803  LFI
lote27 135,948 1,922 60,638 LFI X
SMWF 121,725 1,466 85,228 LFI X
markant 118,962 1,399 83,418 LFI X
felis 118,437 1,431 81,800 LFI X
MichaelCanthony 114,503 1,389 79,059 LFI X
TheLoft 113,990 1,387 78,644 LFI X
parallelus-mingle 105,648 1,568 54,279  LFI
urbancity 96,810 1,678 56,952 LFI X
trinity 89,603 1,410 52,326 LFI X
authentic 82,692 1,817 37,312 LFI X
parallelus-salutation 73,025 1,628 35,886  LFI
elegance 68,928 1,009 21,726  LFI
awake 68,424 1,031 21,323  LFI
antioch 63,174 1,365 26,243 LFI X
modular 62,470 990 19,770 LFI
epic 53,903 925 17,400 LFI X
infocus 52,739 989 19,942  LFI
Newspapertimes_1 50,707 943 29,297  LFI


Who is attacking these themes?

Back in December, 2014 a researcher bulk disclosed a large number of WordPress theme vulnerabilities. The disclosure includes a script that targets a single site and tries to exploit vulnerabilities in a large number of themes. The vulnerabilities it tries to exploit are all file inclusion vulnerabilities.

In the comments at the top of the script that was disclosed, the researcher also includes an example of how to use the script with the powerful INURLBR scanner which he also wrote. This allows attackers and presumably other researchers to bulk find and exploit WordPress sites by trying to exploit the theme vulnerabilities disclosed.

This is the example included in the disclosure:

./inurlbr.php --dork 'inurl:/wp-content/themes/' -q 1,6 -s save.txt \

   --comand-all "php exploit.php _TARGET_"

In the statistics we’ve released above, all the themes marked with an X are included in the bulk disclosure that was made and which included the inurlbr exploit example. So we think what is happening is that so called “script kiddies” (unsophisticated hackers) are grabbing the researcher’s original example from December 2014 and trying to exploit old vulnerabilities in themes.

All these exploits are being blocked by the Wordfence firewall. It’s also likely that many, possibly all of the themes have now fixed this vulnerability, although we recommend that if you use any of these themes you verify with your vendor that your current version contains no vulnerabilities.

The INURLBR scanner has evolved since it was first released in July 2014 into a powerful tool that allows attackers to bulk locate and exploit WordPress websites and sites using other CMSs. The scanner includes:

  • Support for a huge range of search engines to “Google dork” and find targets for attack.
  • Bulk exploiting of targets once found.
  • The ability to use proxies to hide where queries and exploits are coming from.
  • The ability to rotate proxies to constantly change IP.
  • Ability to hide behind Tor.
  • It can send vulnerable sites to an IRC channel, presumably for botnet integration.
  • It includes many other features like regex matching/extraction and more.

It’s possible that many users of INURLBR are using the original bulk disclosure to test INURLBR before launching more sophisticated attacks. That may explain why those original themes are dominating our top 20 list of exploited themes.

At Wordfence we constantly mine attack data to discover how to better protect our customers. Upgrade to Wordfence Premium today to receive real-time firewall rule updates, premium support and much more.

We encourage you to comment and share this data with the larger WordPress community.

Did you enjoy this post? Share it!

Your rating:

41 Comments on "This Week’s Top 20 Attacked Themes and Who is Attacking Them"

Dr. Scott Best August 9, 2016 at 9:31 am • Reply

Dear Mr. Maunder,

My site [removed by mod], has been under attack continuously for the past 48-hours by the site you described that originates in Russia, except they are attacking from hundreds of sites distributed around the world. I suspect these are infected sites that they have taken partial control of by a virus. Are you aware of this activity taking place on sites other than [removed by mod] Can anything be done to circumvent this attack?


Dr. Scott Best
[Full sig removed by mod]

mark August 9, 2016 at 10:22 am • Reply

Hi Scott,

I've edited your comment to remove some detail. We do have the ability to do that level of analysis but unfortunately we don't have the capacity to analyze what is happening on your own site vs other sites right now. If you'd like individual analysis, we might be able to do that if you sign up for our site cleaning service (even though you don't have a hacked site) - I could assign one of our analysts to compare your attacks to attacks on other sites. Sorry if this sounds like a sales pitch, it's not. I just don't have the capacity to give your question the answer it deserves.

However if you are seeing attacks that are bypassing Wordfence firewall then please do let us know either via our free or premium support channels. I'm reasonably sure the Wordfence WAF is doing a great job of blocking those attacks for you and if that's the case, then you don't have anything to worry about. If we're missing anything, let us know and we'll get that fixed (at no charge) quite quickly.

Thanks for your comment.


Larry Johnson August 9, 2016 at 12:33 pm • Reply

I am experiencing the same type of attacks that Dr. Scott Best and others are reporting on 50 0f the 79 sites which I support. All have WordFence on them. So, in case you didn't realize it before, this is a wide spread, worldwide, on going attack. This past Sunday registered 472 individual attacks on one of my sites another registered 342.

I spend several hours each day working with security issues on my sites which my organization provides at no charge to affiliated members. One of the problems I encounter with all this security is that my VPS server is constantly reporting out of memory and out of disk space due to the continued attacks.

So far none of these attacks have managed to bypass the firewall and get into the site BUT it is only a matter of time and attempts until that happens.

It would really help a lot if you were to make your list of "bad guys IPs" available to all o us good guys with a way to load that database into your WordFence "Blocked IP Addresses". That way we could at least make it harder for the rat bastards.

Larry Johnson

Oka August 9, 2016 at 11:35 am • Reply

Just use wordfence plugin, that's all.

Robin August 9, 2016 at 1:52 pm • Reply

I'm wondering if Cloudflare would cut down on some of these attacks?

Robert August 9, 2016 at 9:08 pm • Reply

Yes Cloudflare will block some of these attacks, however if the attack continues, cloudflare will ad a captcha for unknow users. In the admin panel of clautflare you can set the security level and how long the captcha is valid for visitors.

What I have done is used claudflare, set security to low. If I am under attack (ddos) I raise the security to " underattack"

My second line of defense is Wordfence, which is by far the best defense.
And of course, I use strong passwords and a plugin called "Login LockDown"

Good luck everyone. hope this information helps.


Bill Cumming August 9, 2016 at 9:37 am • Reply

Reading articles like this I usually end up thinking either (or both at the sage time!)
I'm glad the theme in using isn't on that list, its not got any flaws.
I'm worried that there theme in using isn't in the list, it might have a undiscovered flaw...

Glad I've WordFence installed keeping guard!!

Bruce Wesley Chenoweth August 9, 2016 at 9:56 am • Reply

Having Wordfence on my websites lowers my blood pressure and helps me sleep at night!

You folks are security Rock Stars in my book.

Thanks for what you do!!

Debwork August 9, 2016 at 10:11 am • Reply

The theme author for Awake abandoned the theme some time ago and I have converted most client sites off of it. . . just one to go. A good reminder to perform the housekeeping - the theme best be deleted even though Wordfence has kept the exploits at bay.


Todd August 9, 2016 at 10:21 am • Reply

On August 4th and 5th a site I manage was attacked repeatedly from 100's of IPs and various countries, all trying to login with either a legitimate user name, or "admin". I blocked all the IP Networks, (took forever)...

bcr8tive August 9, 2016 at 10:45 am • Reply

You don't have to block them individually, WF can do it for you.
You can define the /path they're striking, and the duration of time you want them blocked.

Steve Cooper August 9, 2016 at 11:01 am • Reply

Because of the number of (unsuccessful but numerous) brute force login attempts on individual sites I've upgraded to Wordfence premium and opted for country blocking. However I am concerned about blocking legitimate search engine spiders. Can you advise from which countries such spiders as Google, Bing, Yahoo operate so that I can exclude them from country blocking.

mark August 9, 2016 at 11:50 am • Reply

Wordfence doesn't block legitimate crawlers. If you have questions about the details, please post in our support channel and we'll be glad to help.

bheru lal gaderi August 9, 2016 at 11:02 am • Reply

Thanks for sharing this data with us.
I'm using Wordfence and I'm glad that my blog is safe. Thanks again.

Damir August 9, 2016 at 11:06 am • Reply

I simply blocked the whole Russian region as most of the 'visits' from there have proven to be attempts at login and other malicious attacks. After all, I have nothing valuable there for their interest. :)

Andrea August 9, 2016 at 11:11 am • Reply

I've a server that hosts about one hundred sites powered by WordPress. Is there a way to protect all of them without installing Wordfence for every site? The problem here is the (quite little) overhead generated by Wordfence multiplied for the number of sites. If I install Wordfence in everysite I'll sure get protection but I'll get exposed to ddos due to the not infinite resources availbale on the server.
Btw I really appreciate your work and I'm already a premium user with some websites.

mark August 9, 2016 at 11:48 am • Reply

Hi Andrea. You can try disabling live traffic on all sites if you're low on resources. That should help. The firewall is actually super high performance and shouldn't affect site performance at all. We've benchmarked it with over 30,000 rules and it is still fast - so with the much smaller operational ruleset we run it's incredibly fast.

Nastya August 11, 2016 at 3:40 pm • Reply

My live traffic is off but there are still 2 problems. 1. It still shows me IPs that tried to hack my websites. 2. Now wordfence started showing me that I'm low on space (but I have 2 GB).

Isso August 9, 2016 at 11:30 am • Reply

Thank goodness for WordFence, or my site would be down every other day from these "script kiddies" with nothing better to do but try to tear down online businesses. I've been using WordPress for years and have had multiple sites taken down by these types of individuals and I have to admit that WordFence IS SO worth it -- every penny.

Imran Nazish August 9, 2016 at 11:48 am • Reply

I am going to double check my site security. Thanks for sharing this info.

angelo August 9, 2016 at 2:24 pm • Reply

First, I want to thank the folks at WF for their hard work. Next, it would be nice if you guys would share the bad guy's IP addresses so we can add them to CSF or to WF Advanced blocking; maybe a 'Top 10' offenders list. - Finally, thanks for building in the ability to block by 'User-Agent'. It puts an end to the kiddies that can rapidly spoof their IP. Thanks again guys, great work.

mark August 9, 2016 at 3:50 pm • Reply

Thanks Angelo!

Beth August 9, 2016 at 5:01 pm • Reply

I have Wordfence on all three of my sites. Thank God for you guys! About a month ago I had thousands of hits in a matter of days. If I didn't have Premium on all three sites, I'd be down for the count. My go-to page when I log on is to "Page Not Found." That's the fastest way to find the attempted logins. I'm using a plug in that changed what I type in to get to the log on page, so it's immediately obvious when an attempt is made.

I have a quick question, though. I frequently see that people have attempted to access a php file or have tried to type in htaccess. So far it gets blocked right away. Is there any reason any legitimate person would be trying to log on to my php or htaccess files? Sounds like hacking to me. You may have to block out the details below, but I think you should have it for your reference. I've gotten mulitiple hits in the past month from these people. I keep blocking the IP and it keeps showing up under a different IP address, but the Who Is info is pretty much the same.

The IP info says it's from Amazon AWS

Examples are: /pma/scripts/setup.php
and this one really freaked me out -- /w00wtw00t.at.blackhats.romanian.anti-sec:)

All of the above was coming from Wilmington, US
hostname same as IP
Browser Undefined with the letters ByZr underneath that.

mark August 10, 2016 at 12:46 am • Reply

Hi Beth,

We're constantly analyzing these patterns and we do a pretty good job of adding rules that block weird access patterns that clearly are an attacker. In fact I'm taking a break from mining attack data to moderate these comments. :)


Maxton August 9, 2016 at 5:08 pm • Reply

Just set it and forget it, WF is a great app, finally I can sleep at night.

somepissedoffguy August 9, 2016 at 5:41 pm • Reply

Why are we not being given the tools to fight back more aggressively I wonder?
same issue.. many, many attempts 40k+now in a very short time.
I'm looking into it! BEWARE RUSSIA!

john August 9, 2016 at 7:43 pm • Reply

we used wordfence and mcafee secure free version on our wordpress site but search result-google-showing THE SITE MAY BE HACKED

why this error message showing and how to remove it

thanks in advance

mark August 10, 2016 at 12:44 am • Reply

Hi John,

Google has flagged you for malware. Post on our forums and our support guys can take a look. Our site cleaning team may have to get involved.


Shazar August 9, 2016 at 8:17 pm • Reply

Thanks so much.. the last days have been inundated with attacks!
Larry Johnson (above) said "One of the problems I encounter with all this security is that my VPS server is constantly reporting out of memory and out of disk space due to the continued attacks." One of my sites is also reporting this.. but on querying the problem it appears it is not due to the attacks but due to something else which I am yet to uncover.
The message I am receiving is: [Aug 10 11:14:04] Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 7988515 bytes) in /home/thecorp1/public_html/wp-includes/wp-db.php on line 1255.
Am I correct in thinking this is not connected to the attacks but is some other problem?
If I turn off all the scans to include, no error but when I only turn on "Scan for signatures of known malicious files" it happens.

Thanks again for your invaluable contribution to so many!!

mark August 10, 2016 at 12:44 am • Reply

Hi Shazar, Please post that on our support forum and our guys will help you.

Anshul August 9, 2016 at 10:52 pm • Reply

Hi,from last few days I got an error message like " Malware attack from China". We have resolved it,and now it's not coming.
But after these we got one more new issue,that Hebrew error pop-up,when I m opening my website.Its inconsistent issue.Something written in Chinese language on that pop-up.
I m using coloring WordPress theme.

Bert Zomer August 9, 2016 at 11:15 pm • Reply

Thanks for the updates (WordFence Team) in the past I have had countless trouble with spammer causing havoc even to the point of unesserary bandwidth server constantly out of memory emails compromised I ended up closing the Cpanel down. I then went over to the WordPress hosting since I started using WordFence I have not had to worry well not as much anyway However I do use WangGuard plugin as well.

I appreciate the fact that WF Team is always on the watch continuous updates I always know when members are signing in or something has changed. Awesome Software

James Taiwo August 10, 2016 at 6:08 am • Reply

Glad you posted this. Very useful information here.

Mohamed Bhimji August 10, 2016 at 11:10 am • Reply

I should be reading these posts more often... since there are so many "bad" themese out there. What themes that may be free or paid are "good"? Themes which have no vulnerabilities that seem to be common to many of these other themes?

Ian August 10, 2016 at 1:28 pm • Reply

A number of these themes infocus,modular, elegance are all from mysitemyway.com , although the website is still up, this themes are effectively abandoned so people who are using need to migrate away asap.

Paul August 13, 2016 at 10:22 am • Reply

I have blocked IP's by country for China, Russia and a couple of others they don't even get to the website. The websites I have are aimed at USA/North America audience mostly. This strategy has been really effective. If you don't need or want worldwide access this is a good way of stopping the attacks at the front door.

Wordfence is a top notch plugin and I'm constantly pleasantly surprised at the continual efforts to keep it that way by being proactive.

jyoti August 16, 2016 at 11:22 pm • Reply

Nice post :D

Mike August 17, 2016 at 4:47 pm • Reply

All my websites were hacked i used Host gator....i do not trust them anymore...i had to rebuild most of my sites and some are not finished....since i added Wordfence i eliminated alot of hackers....it tells me when something is going on in my site...i go look at it correct it and that's it ....thanks alot guys....got one question...your premium pkg...is that billed monthly or do you take the whole thing....also what is the cost per website for the premium pkg....i think your site should be designed easier to get the premium pkg....its confusing.....you should look into that...Mike

Maria August 18, 2016 at 2:14 am • Reply

Good to know about these themes and I do Wordfence for providing better information about the hacks and to secure websites

Andrea September 2, 2016 at 1:39 am • Reply

WF simply save my professional life :-)
Thank you to all those about this complite plugin.

xenspirit September 4, 2016 at 4:07 pm • Reply

Is there a vulnerability of a cufon-yui.js file? I'm noticing a lot of weird activity including trying to access that file which I do not believe is on my website.

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.