Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Top 50 Most Attacked WordPress Plugins This Week

This entry was posted in Research, Vulnerabilities, Wordfence, WordPress Security on August 17, 2016 by Mark Maunder   56 Replies

Last week we shared the top 20 most attacked WordPress themes and an explanation of why many of them are targeted. This week we’ve dug deep into the data and we are publishing the top 50 most attacked WordPress plugins during the past 7 days.

The data we’re sharing today is based on the following high level metrics:

  • During the past week Wordfence blocked 20,644,496 unique attacks across all the sites we protect.
  • We saw attacks from 73,629 unique IP addresses during the period.
  • 20,622,975 attacks came from IPv4 addresses and 15,160 of those attacks were IPv6 addresses.
  • Of the approximately 1.5 million active websites that we protect, 581,689 of those sites received attacks during the past week.

The following is a list of plugins that received the most attacks during the past week – counted as the most recent 7 days starting on Tuesday evening August 16th and looking back 7 days. Once again we are showing the plugin ‘slug’ which is the unique directory name that the plugin uses when it installs into WordPress.

This week we are ordering things slightly differently. We have the plugins ordered by number of unique sites that received attacks, labeled as “Sites attacked”. We feel this is a more useful order because it shows how widespread an attack is on a particular plugin, rather than just raw volume of attacks.

“Total Attacks” indicates the total number of attacks that we logged on that plugin. “IPs” is the total number of unique IP addresses that an attack targeting the plugin originated from.

“Type” is the type of attack – in most cases it’s a “Local File Inclusion” attack which allows an attacker to download any file they want to on the target system. The vast majority of files that are targeted are either the wp-config.php file which contains the database username, password and server name or /etc/passwd which contains the host operating system usernames.

Where we’ve labeled the Type as “Shell” it indicates an attack that allows an attacker to upload a shell to the target site which gives them full remote access. These are the most serious vulnerabilities and attacks.

All attacks are on vulnerabilities that are already publicly known. If you run any of these WordPress plugins, make sure that:

  1. You are using the newest version of the plugin.
  2. That version does not have any known vulnerabilities.
  3. You are running Wordfence with the Firewall enabled because we protect against all vulnerabilities shown.

The list of the top 50 most attacked plugins during the past week follows:

Plugin Sites attacked Total attacks IPs Type
recent-backups 182,525 351,014 3,467 LFI
wp-symposium 149,860 242,715 3,460 Shell
google-mp3-audio-player 138,282 307,743 2,032 LFI
db-backup 129,519 287,043 2,189 LFI
wptf-image-gallery 107,000 131,938 2,846 LFI
wp-ecommerce-shop-styling 103,471 131,011 2,887 LFI
candidate-application-form 103,017 127,359 2,820 LFI
wp-miniaudioplayer 91,546 196,557 1,381 LFI
ebook-download 88,461 189,640 1,408 LFI
ajax-store-locator-wordpress_0 86,051 119,192 1,396 LFI
hb-audio-gallery-lite 82,041 105,618 1,505 LFI
simple-ads-manager 70,683 166,131 6,476 Shell
revslider 53,549 145,626 407 Shell
inboundio-marketing 53,063 112,696 874 Shell
wpshop 51,609 111,546 830 Shell
dzs-zoomsounds 51,089 225,032 731 Shell
reflex-gallery 49,853 111,624 699 Shell
wp-mobile-detector 38,764 115,235 800 Shell
formcraft 25,192 52,604 668 Shell
sexy-contact-form 19,076 50,649 316 Shell
filedownload 12,584 19,400 353 LFI
plugin-newsletter 11,982 23,887 451 LFI
simple-download-button-shortcode 11,558 21,502 427 LFI
pica-photo-gallery 11,059 16,587 262 LFI
tinymce-thumbnail-gallery 10,972 16,429 263 LFI
dukapress 10,814 16,235 333 LFI
wp-filemanager 10,756 16,634 331 LFI
history-collection 10,427 24,371 607 LFI
s3bubble-amazon-s3-html-5-video-with-adverts 10,312 24,011 595 LFI
simple-image-manipulator 7,268 8,272 448 LFI
ibs-mappro 5,555 18,738 448 LFI
image-export 5,442 6,047 266 LFI
abtest 5,431 5,885 297 LFI
wp-swimteam 5,119 5,433 238 LFI
contus-video-gallery 4,921 17,866 345 LFI
sell-downloads 4,393 4,746 240 LFI
brandfolder 4,268 4,619 230 LFI
thecartpress 4,164 4,534 274 LFI
advanced-uploader 4,066 4,351 203 LFI
aviary-image-editor-add-on-for-gravity-forms 3,548 5,749 247 Shell
wp-post-frontend 1,811 16,690 294 Shell
[redacted]* 1,716 2,133 65 Shell
mdc-youtube-downloader 1,039 5,517 199 LFI
document_manager 915 4,450 148 LFI
paypal-currency-converter-basic-for-woocommerce 797 1,133 129 LFI
justified-image-grid 788 17,852 35 LFI
cherry-plugin 539 3,919 31 Shell
aspose-cloud-ebook-generator 531 720 25 LFI
gwolle-gb 331 406 46 LFI

*The redacted plugin in the list was removed before publication. It is an undocumented older shell upload vulnerability which is being targeted. The vulnerability does not exist in the current version of the plugin. Because it’s undocumented it is technically a zero day vulnerability, even though the vulnerability has been fixed in newer versions of the plugin, so we decided to remove the plugin name.

Notes

The large number of local file inclusion vulnerabilities that are being exploited is surprising. I should also note that many of these LFI’s were discovered by Larry Cashdollar who I had the pleasure of seeing speak at Defcon in Las Vegas 2 weeks ago. So I suspect that many of these are being used in an attack script of some kind which may explain their prevalence in the attacks we’re seeing.

Backlit keyboardThe clustering of LFI’s together and Shell exploits together in the list order is odd, but I don’t have a theory to explain that and there is no error in the data that accounts for that. It appears to be coincidence.

The vulnerability in the Recent Backups plugin at the top of the list was disclosed in August 2015 and the plugin has now been removed from the repository, probably because it was not being maintained. The large number of exploits targeting this plugin are puzzling because as far as I can tell from archive.org, the plugin only had a few thousand installs. It may be because it is quite easy to “google dork” to find sites that are vulnerable and the abundance of target sites may make this an attractive target.

As a final note, I’d like to add that this data is simply an indication of the volume of attacks that we are seeing on plugins in the wild across the large attack surface that is WordPress websites who are protected by Wordfence. It does not give any indication of whether a plugin in this list is more or less secure than others. It does not include data on how successful attacks on the plugins shown may or may not be. It is purely an indication of attack activity in the wild on WordPress plugins during the past week.

Your comments are welcomed as always.

Did you enjoy this post? Share it!


3.00 (1 vote) Your rating:

56 Comments on "Top 50 Most Attacked WordPress Plugins This Week"

Nosaint August 17, 2016 at 9:15 am • Reply

Can we have the list of IPs doing this? (to block)

mark August 17, 2016 at 9:17 am • Reply

We don't currently provide that. We may in future as a premium feature. I'd like to hear from the rest of the community if there's any interest in this.

Daniel August 17, 2016 at 10:31 am • Reply

This would such a good idea. Should role this one out for sure.

SVT August 17, 2016 at 10:33 am • Reply

Always.

Mike August 17, 2016 at 1:02 pm • Reply

YES! PLEASE!

Cristian Balan August 18, 2016 at 7:26 am • Reply

Yes please and no premium as would be pointless.

Evan August 18, 2016 at 8:16 am • Reply

We would have to stop using the plugin if it started mining our site traffic. Does it mine data currently?

mark August 19, 2016 at 6:44 am • Reply

No, we only get reports of attacks.

Chris Shearar August 17, 2016 at 11:55 am • Reply

Over the past few days there have been in excess of 500 attacks on one of my websites. The interesting thing is that all have used the login name "test" and the attacks come from around the world. All have been locked out thanks to Wordfence.

Beth August 17, 2016 at 1:41 pm • Reply

I have been seeing a lot of attempted logins with the username "test" as well. This has been happening on multiple sites.

Shane August 17, 2016 at 5:01 pm • Reply

Same here Chris. One site got smashed over a 3 day period.

Firstly I blocked the other countries from having access to the Log In page.

They then started attacking from Australia.

I then ended up changing the settings in WordFence to block unauthorised usernames. The attempts seemed to stop a few hours after that.

Thanks for your good work Wordfence Team.

Coderinthebox August 18, 2016 at 2:48 am • Reply

I usually gets hit by at least 57 attackers a day, it used to be a few hundred of different IP a day with more than 10,000 attempted attacks. What bothers me is Microsoft and bing is also trying to login to my server.

I just set my server into paranoid mode, if you are hammering my server, you get a ban hammer automatically.

Michael August 23, 2016 at 7:37 pm • Reply

I occasionally get the "test" userid as well...just set Wordfence to permanently lock out that user, along with "admin".

David 1961 August 17, 2016 at 12:17 pm • Reply

It seems pointless to try to block a list of IPs. The bot networks that are involved are using hundreds if not thousands of hijacked systems all with different IPs. If you block one IP they just switch to another one. There was a period of time I was getting hit by 10 to 20 different IPs per hour. When I blocked them there would be a new set that hit me the next hour. These were password dictionary attacks but I don't see any reason that attacks that target vulnerabilities would be any different.

Cristian Balan August 18, 2016 at 7:27 am • Reply

10-20/hour is little

Lindsey H August 17, 2016 at 9:17 am • Reply

This explains why I saw suspicious activity a couple of days, where an unidentified IP address was looking for the sexy-contact-form plugin. I'd never heard of that plugin before then, and certainly don't use it.

mark August 17, 2016 at 9:20 am • Reply

Interesting Lindsey, thanks. I'd love to hear more about what users are seeing on the ground and how it relates to this data.

James August 17, 2016 at 9:19 am • Reply

Yes, I would certainly be interested in having a list of IP's. It would help massively.

mark August 17, 2016 at 9:20 am • Reply

Thanks James. Can you share how you'd use it? Presumably to block bad guys, but where would you block? Firewall? Or iptables rules in Linux? Or somewhere else?

Thanks.

James August 17, 2016 at 9:27 am • Reply

Thanks for the reply Mark.

I would use it to block them on iptable in Linux. I also believe I have the option to blacklist the IP addresses on the server.

James

Cristian Balan August 18, 2016 at 7:29 am • Reply

I'm also using BitNinja to block across multiple servers and to help the community as there is a central DB used by several servers.

Dan Oc August 17, 2016 at 9:23 am • Reply

Funny to see Revolution slider up there, that plugin has caused me more hacking problems than every other plugin put together! I'm surprised so many themes still come bundled with it

Anthony August 17, 2016 at 9:28 am • Reply

Yes, a list of IPs would be excellent. Allowing us to add to the block list. thx

Having paid option with a Yes/No for auto update of flagged IPs.

Ron August 17, 2016 at 9:38 am • Reply

Glad to see that I've never used a single plugin on this list.

Steve August 17, 2016 at 9:49 am • Reply

I'm on a dedicated server and would have LiquidWeb block the respective ip's.

Stan August 17, 2016 at 9:49 am • Reply

I had extreme activity on one of my client website- brute force attack in last 2 days, more than 500 attemps from different IPs. Most of these countries I had blocked before the attacks. So, I wonder how is possible to even give a try to access wp-login when country blocking is applied. Thank you for sharing value information.

Mark Rudder August 17, 2016 at 2:18 pm • Reply

Stan,

What are you using to block countries?

Stan August 20, 2016 at 7:24 am • Reply

Hi Mark,
I am using the country blocking feature of Wordfence.

Arie Klerk August 17, 2016 at 10:02 am • Reply

Strange to see Gwolle GB on this list. The version mentioned is way old, it is not even on the changelog list anymore. Actual version is 2.01. Please look at the provided website: https://wordpress.org/plugins/gwolle-gb/changelog/
I hope that this is not the case with all of the 50 plug-ins. To me it looks like a very old test, not of the last week!
On the other hand I wonder how the list would look is taken last week indeed... ;(

mark August 17, 2016 at 10:24 am • Reply

The list is a query that looks back 7 days starting from yesterday evening at around 6pm pacific time. We have linked every exploit to a PoC mostly on exploit-db. You'll notice if you dig a little deeper that many of the exploits are 2016. This data is as real-time as it gets for large queries like this. There is nothing comparable from any other security provider because they don't have this capability.

I'd also add that we have not filtered this list for security scanners, so you may find that those are inflating the statistics for fairly old vulnerabilities. We are bringing this filtering capability online soon so watch this space.

In addition we've seen exploit toolkits (see our theme stats from last week) that get posted and are run by a large number of "script kiddies" or unsophisticated attackers that simply run an old toolkit to see if they get lucky. So many of these attacks may originate from that set.

Remember, these are attacks that were blocked. They are not successful attacks.

~Mark.

Grant Kruger August 17, 2016 at 10:08 am • Reply

I would like to suggest that you team up with Stop Forum Spam, a long-standing community-driven spam blocking service where IP addresses of known attackers are freely shared. They helped me a bunch with my previous site (different CMS) but because their list is built and verified by a community of all of us and thus are a good fit with open source thinking. You would even be able to use their APIs to improve your own blocking capability, maybe even add blocking stuff on their list as a premium feature. They are at stopforumspam.com and I can't help but wonder if there isn't a similar possible partnership with Akismet too.

Heinz Rainer August 17, 2016 at 10:12 am • Reply

Hi wordfence and team, wordfence users,

It does come at no surprise to me. I am using wordfence, just as you do. What I have noticed, as well as said over and over : WP is as strong as its plugins. Now I always have advocated the minimizing of plugins use.

And it does not come as a surprise : I have none of those mentioned installed : Not a single one.

Whilst having wordfence installed doing a great job I advise all to get the premium version - I also have a little trick built in - My admin.php as well as wp-login.php is not accessible.

This makes it a little easier to fend off shady characters on the web.

Another thing after analyzing where most attacks used to come from :

40 % Ukrainian
30 % Turkish
30 % Chinese IPS

U can block those IPS permanently if you want. All you need is to configure htaccess.

After all, these guys have nothing good in common, so why not bar them from visiting your site.

Again a praise to wordfence for doing a great job,

AFRICASIAEURO/YOUTUBE

Magda van Tilburg - booxalive.nl August 17, 2016 at 11:40 am • Reply

Hai Heinz! Thank you for your advice of blocking naughty countries! But, what do you mean by: 'All you need is to configure htaccess'? As am I am just a beginner in making a website, I don't know all these phrases, sorry.
Best wishes, Magda from sunny Amsterdam

S Stewart August 19, 2016 at 10:31 pm • Reply

htaccess is Apache .htaccess file, a configuration in a sense.
More about this is at http://www.htaccess-guide.com/

Bill Tirmer August 17, 2016 at 10:46 am • Reply

Thank you for continued great services.

Larry Bomse August 17, 2016 at 11:29 am • Reply

we were attacked over 800 times last. i blocked all networks & IP's
Most common was " admin " or " test " ... FAIL : I was watching it live and was blocking live
" They " went from The Eastern Bloc to Asia , To South America, server hopping ...FAIL ...lol..
Great Work Keeping Us Safe

Andrew August 17, 2016 at 12:15 pm • Reply

Would it be possible to allow IP blocking from within a user's Wordfence account rather than having to block on individual sites? I've got 20 licences and banning IPs across individual sites takes a fair amount of time

Rohan August 18, 2016 at 4:10 pm • Reply

Yes, I agree with that. We host both internal and external business websites on our server and it would be good to be able to sync all blocked IP's across all those protected in our account.

Or even a cloud based centralised management system? We use Bitdefender's enterprise grade AV suite for your network PC's/servers and the ability to log in and push through policy changes or tasks to multiple sites, is a massive boost for productivity.

The ability to standardise policies etc would be huge, especially if developing a new website.

Elisa August 17, 2016 at 1:26 pm • Reply

I haven't ever had a plugin on your list, until today. Do you make an effort to contact the plugin author? I have built up a really nice relationship with this author and he is very active so I want hime to know, and to make it safe since I use it on several client sites. What do you suggest?

Chook August 17, 2016 at 3:30 pm • Reply

Blocking IPs manually in the .HTACCESS file or adding them manually in other ways is going to be a long and tiresome task. Been there done that to realise this myself.

Having Wordfence do this Automatically when an IP breaks a rule - such as Immediately lock out invalid usernames, or if pages not found (404s) exceed 3 - is a much more efficient and stress free way to block IPs. I now sleep at night ;)

But tight rules come at a risk. Mistype your username, or if your site has a couple of 404s will lock you out and the "unlock" process can be unreliable at times from a User Prospective (Forgotten admin email address or mail not sent from hosting server) There are ways around this that require a bit more detail for this thread. Visit the Docs site: https://docs.wordfence.com/

Back to Topic - Wordfence has a setting, If 404s for known vulnerable URLs exceed: X
Will this setting help block IPs that are attempting to hack the listed plugins?

Cristian Balan August 18, 2016 at 7:35 am • Reply

Something like that would be very useful, https://www.statuscake.com/API/Locations/txt (this is just an example, do NOT block those IPs).

Pk August 17, 2016 at 3:43 pm • Reply

I'm using .htaccess too. And don't forget to set file permission to 0444
0440 is the recommendation but permalink doesn't like it.

With the wp-config.php file permission should be set to 0440

Thank you Wordfence team for a wonderful plugin.

:) Pk

Anil Saini August 17, 2016 at 8:48 pm • Reply

OMG! I was using DB-Manager for my blog, but now removed.
Thanks for the reporting by the way. :)

mark August 17, 2016 at 9:13 pm • Reply

Hi Anil,

If you're referring to WP Database Backup: https://wordpress.org/plugins/wp-database-backup/changelog/

The plugin author is very actively maintaining the plugin and has fixed multiple vulnerabilities. His most recent release is just two weeks ago.

As I mentioned in the final paragraph of our post: "It does not give any indication of whether a plugin in this list is more or less secure than others."

Check each of your plugins individually and if a plugin is actively maintained and the changelog says the vulnerability has been fixed, then it's probably quite secure.

Mark.

David Bowman August 18, 2016 at 12:58 am • Reply

Hi, isn't this like a pop chart. Next week the hackers will have moved on. It seems not to include some major core plugins that recently had faults identified. It would be interesting to see how many of these plugins are on the trusted Wordpress plugins directory and what testing is undertaken for plugin vulnerabilities before and after inclusion. I fear that until a lite core version of Wordpress is created, it will be inherently damaged. Thats before any plugin vulnerabilities are included. We have moved many sites back to basic html. The risk is that Wordpress receives so much brand damage that it disintegrates. #WPbloat

mark August 19, 2016 at 6:48 am • Reply

Hi David,

I just want to reemphasize that these are actual attacks. It's raw data. This this is not our opinion - and so yes it's interesting that a few high profile recent vulnerabilities/exploits are not included - perhaps it indicates the vast majority of attackers out there are relatively unsophisticated.

Mark.

Han Balk August 18, 2016 at 2:12 am • Reply

Just like Chris and a few other I also noticed a lot of login attempts with login name 'test'. Non existing login names will be automatically blocked for while, so I do not really bother about this.

About the enormous IP- list of attackers. Apart from the fact whether or not it's useful and/or cumbersome. When it's imported in Wordfence or .htaccess, wouldn't that impact the websites response time?

Maria August 18, 2016 at 2:15 am • Reply

That's interesting. I have not used any of these listed plugins and I do keep updating the plugins frequently. Good to know about these themes and I do Wordfence for providing better information about the hacks and to secure websites

Pupunzi August 18, 2016 at 4:58 am • Reply

Hi,

I'm the author of the wp-miniaudioplayer plugin (one of the plugin you included in your list).
I would let you know that the vulnerability test you made refers to the 1.6 and 1.7 version while now the plugin is at version 1.8.2 and the vulnerability issue has been solved almost one year ago. You should not publish such news only to promote your software without being more accurate and verifying what you are writing...

-1 for you guys.

Matteo

mark August 19, 2016 at 6:46 am • Reply

Matteo,

We put our community first and these are real attacks that are happening on the ground during the past week. Sorry you wrote a vulnerability. Good to hear you fixed it. We've written a few of our own in the past and it's never a happy event, but responding quickly and posting here is the kind of thing that lets your own customers know that you are actively maintaining your plugin and are security conscious.

Mark.

Sandy Sandmeyer August 18, 2016 at 6:36 am • Reply

It there any reason why Wordfence's use of resources would be exponentially increased recently? My web host shut my site down because of Wordfence's crazy resource use.

mark August 19, 2016 at 6:44 am • Reply

No there isn't Sandy. Please post in our support forums for a more detailed answer if you'd like one.

Noel August 18, 2016 at 6:49 pm • Reply

Hi all,
What I cannot understand is even before I totally lost interest in my site, I had no memberships or any products of any kind for sale! So what I cannot understand is that there was NO METHOD for me to make money from the site that could use any payment methods of any kind, no data of any kind way ever collected! Yet I had times where the site was almost bombed into next years with attacks, I copy the IP'S to my .htaccess file daily as I felt your software was keeping them out lol. BUT WAS IS IN IT FOR THEM??? to be really honest with you my site is just off being a waste of internet space!

Eric September 2, 2016 at 9:04 am • Reply

what version of db-backup? The report says 2014.

I was using it on a ton of sites and have since removed. I contacted the author on WP support forums.

It is such a useful, time saving tool & I would really like to use it again or at least help the author get it sorted if it is not already.

Patrick Herbert September 6, 2016 at 8:28 pm • Reply

This would be awesome as a something that I could keep track of and host on my website. Sort of like the stock market of attacked WP plugins.

pdipaul December 21, 2016 at 2:31 am • Reply

Beware of this IP: 14.201.67.60
Just a sample of what is happening
14.201.67.60 /wp-content/plugins/wp-homepage-slideshow/functions.php 2016-12-20 22:08:19 blacklisted
36459
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/wp-homepage-slideshow/functions.php 2016-12-20 22:08:19 blacklisted
36460
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/another-wordpress-classifieds-plugin/AWPCP.po 2016-12-20 22:08:22 blacklisted
36461
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/another-wordpress-classifieds-plugin/AWPCP.po 2016-12-20 22:08:22 blacklisted
36462
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/wpstorecart/lgpl.txt 2016-12-20 22:08:23 blacklisted
36463
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/wpstorecart/lgpl.txt 2016-12-20 22:08:23 blacklisted
36464
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/custom-content-type-manager/index.html 2016-12-20 22:08:23 blacklisted
36465
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/custom-content-type-manager/index.html 2016-12-20 22:08:23 blacklisted
36466
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/auto-attachments/a-a.css 2016-12-20 22:08:24 blacklisted
36467
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/auto-attachments/a-a.css 2016-12-20 22:08:24 blacklisted
36468
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/woocommerce/dummy_data.xml 2016-12-20 22:08:24 blacklisted
36469
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/woocommerce/dummy_data.xml 2016-12-20 22:08:24 blackliste
and lots more!
Be safe
Paul

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.