1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs
Today, on December 9, 2021, our Threat Intelligence team noticed a drastic uptick in attacks targeting vulnerabilities that make it possible for attackers to update arbitrary options on vulnerable sites. This led us into an investigation which uncovered an active attack targeting over a million WordPress sites. Over the past 36 hours, the Wordfence network has blocked over 13.7 million attacks targeting four different plugins and several Epsilon Framework themes across over 1.6 million sites and originating from over 16,000 different IP addresses.
Wordfence Premium Users are protected against any exploit attempts targeting all of these vulnerabilities. Wordfence free users are protected against attacks targeting all of the vulnerabilities except for the recently disclosed vulnerability in PublishPress Capabilities. Wordfence Premium users received a firewall rule for the Unauthenticated Arbitrary Options Update vulnerability in PublishPress Capabilities on December 6th, 2021, and sites still running the free version of Wordfence will receive the firewall rule on January 6, 2022.
A Closer Look at the Attack Data
Attackers are targeting 4 individual plugins with Unauthenticated Arbitrary Options Update Vulnerabilities. The four plugins consist of Kiwi Social Share, which has been patched since November 12, 2018, WordPress Automatic and Pinterest Automatic which have been patched since August 23, 2021, and PublishPress Capabilities which was recently patched on December 6, 2021. In addition, they are targeting a Function Injection vulnerability in various Epsilon Framework themes in an attempt to update arbitrary options.
In most cases, the attackers are updating the
users_can_register option to enabled and setting the
default_role option to `administrator.` This makes it possible for attackers to register on any site as an administrator effectively taking over the site.
Our attack data indicates that there was very little activity from attackers targeting any of these vulnerabilities until December 8, 2021. This leads us to believe that the recently patched vulnerability in PublishPress Capabilities may have sparked attackers to target various Arbitrary Options Update vulnerabilities as part of a massive campaign.
The top 10 offending IPs over the past 36 hours include:
- 220.127.116.11 with 430,067 attacks blocked.
- 18.104.22.168 with 277,111 attacks blocked.
- 22.214.171.124 with 274,574 attacks blocked.
- 126.96.36.199 with 216,888 attacks blocked.
- 188.8.131.52 with 205,143 attacks blocked.
- 184.108.40.206 with 194,979 attacks blocked.
- 220.127.116.11 with 192,778 attacks blocked.
- 18.104.22.168 with 181,508 attacks blocked.
- 22.214.171.124 with 158,873 attacks blocked.
- 126.96.36.199 with 153,350 attacks blocked.
How Can I Keep My Site Protected?
Due to the severity of these vulnerabilities and the massive campaign targeting them, it is incredibly important to ensure your site is protected from compromise. If your site is running Wordfence Premium then it is already protected against any exploit attempts targeting any of these vulnerabilities. If your site is running the free version of Wordfence then it is protected against any exploits targeting any of the vulnerabilities, with the exception of the recently patched vulnerability in PublishPress Capabilities. Sites running Wordfence Free will receive the firewall rule for PublishPress Capabilities on January 6, 2022, which is 30 days after Wordfence Premium users.
Regardless of the protection that Wordfence provides, we strongly recommend ensuring that any sites running one of these plugins or themes has been updated to the patched version. We have the affected versions of each product outlined below. Please ensure that your sites are running a version higher than any of the ones listed. Simply updating the plugins and themes will ensure that your site stays safe from compromise against any exploits targeting these vulnerabilities.
The following are the affected plugins and their versions:
- PublishPress Capabilities <= 2.3
- Kiwi Social Plugin <= 2.0.10
- Pinterest Automatic <= 4.14.3
- WordPress Automatic <= 3.53.2
The following are the affected Epsilon Framework theme versions:
- Shapely <=1.2.7
- NewsMag <=2.4.1
- Activello <=1.4.0
- Illdy <=2.1.4
- Allegiant <=1.2.5
- Newspaper X <=1.3.1
- Pixova Lite <=2.0.5
- Brilliance <=1.2.9
- MedZone Lite <=1.2.4
- Regina Lite <=2.0.4
- Transcend <=1.1.8
- Affluent <1.1.0
- Bonkers <=1.0.5
- Antreas <=1.0.4
- Sparkling – No patch known. Recommended to uninstall from site.
- NatureMag Lite – No patch known. Recommended to uninstall from site.
How Do I Know If My Site Has Been Infected and What Should I do?
As previously stated, the attackers are updating the
users_can_register option to enabled and setting the
default_role option to `administrator` in most cases.
To determine if a site has been compromised by these vulnerabilities, we recommend reviewing the user accounts on the site to determine if there are any unauthorized user accounts. If the site is running a vulnerable version of any of the four plugins or various themes, and there is a rogue user account present, then the site was likely compromised via one of these plugins. Please remove any detected user accounts immediately.
It is also important to review the settings of the site and ensure that they have been set back to their original state. You can find these settings by going to the http://examplesite[.]com/wp-admin/options-general.php page. Please make sure the `Membership` setting is correctly set to enabled or disabled, depending on your site, and validate that the `New User Default Role` is appropriately set. We strongly recommend not using `Administrator` for the new user default role as this can lead to inevitable site compromise.
Please review this guide to cleaning a hacked site with Wordfence to complete the clean of the site once the intrusion vector has been determined and the immediate issues have been resolved. If the entire site is not scanned and cleaned to ensure there are no additional backdoors, it may be possible for an attacker to regain access to the site.
If you would like assistance in cleaning a site compromised by one of these plugins, we recommend using our Professional Site Cleaning services to help get your site back online.
In today’s post, we detailed an active attack campaign targeting various plugins and themes that make it possible for attackers to effectively take over the vulnerable sites through the use of arbitrary option updating. We strongly recommend ensuring that all of your sites have been updated to the patched versions of the plugins and themes.
We also recommend that you share this post within the WordPress community to create awareness among site owners about this attack campaign and how to defend against it.
We may update this post as we receive new information.
These two link are currently the same in the post:
Pinterest Automatic <= 4.14.3
WordPress Automatic <= 3.53.2
They both lead to the Pinterest automatic page.
Thank you for pointing that out! I've updated the post to include the correct link for WordPress Automatic.
This does it, going to start converting all sites in our library over to Wordfence!
May take a while but going to get it done.
Thank you for keeping the WP community safer!
We are happy to have you as a Wordfence user! Since you mentioned that you will be converting several sites to Wordfence, I wanted to mention that we a product called Wordfence Central that's 100% free to use and can help you manage all of your sites using Wordfence. You can learn more about it here https://www.wordfence.com/central. Thank you!
I kept watching and getting totally peeved at the attacks on my sites. I knew, even with the free version, I was safe with you. This new year, I will make money and upgrade. I am 68 and love the internet, but can't believe how it has changed. I will be going on LinkedIn and sharing. I watch your YouTube channel as well. You're awesome!
Happy to hear that you know you are safe with us, thanks for sharing!
How can we protect our site from someone who uses a "WordPress Automatic plugin" to copy our site content every time we publish it? Does Wordfence protect us from any such incident? If yes, how?
Wordfence does not provide direct protection against that, however, if the individual that keeps copying your site's content using the same IP address, then you could block them using the IP Blocking feature. That could easily bypassed, however, if the individual just switches their IP address using a VPN. I do believe there are several plugins out there that can provide what you need so I recommend just researching a good WordPress anti-copy plugins. Thanks!
You might want to make a quick update in the two places where you mention the free users getting the firewall update, because in both places you say January 6, 2021 instead of 2022 (I'm assuming you didn't travel back in time to give the free users the rule earlier!)
We must not be ready to let 2021 go, yet. :) I've updated the post, thanks for bringing that to our attention!
Thanks for sharing this for many reasons! Our site gets thousands of attacks daily. It often makes me wonder how other people deal with these issues. I guess I'll have to speak with my team about installing WordFence.
Yes, very true. Now a days wordpress is a big target. Wordfence is a good plugin to prevent from hacking. We too use it.
Thank you, WF team! Saving the day, again!
It looks to me like the issue still exists in the original at https://github.com/WPChill/epsilon-framework.
I also detected and fixed it in Allegiance Pro 1.4.91 theme (not sure if it's fixed in higher versions since I canceled it).
Theme Sparkling 2.4.8 seems to be affected as well, same author as several other mentioned Epsilon Framework themes.
Thank you! I've updated the post to include that theme as well.
Just a thought. From a security (or any) point of view, it never makes sense for users to be able to register as Admin. Could Wordfence not intercept or check this value?
On a similar note, limiting ability to register users ("Anyone can register") is more complex, but I wonder whether forcing an email confirmation before first login, sent to the new user's email, would make this a harder target for now?
Would be great to remove this gaping hole in WordPress architecture - WordPress themselves should not allow new users to be registered as Admin, ever, it makes no sense as they can be edited at creation time.
Thanks for the suggestion! We definitely agree that users should not be able to register as an administrator on the vast majority of WordPress sites, though there may definitely be an edge case or two where a site owner might want/need the ability for it. A feature to block administrative registration is something we currently have on our radar, and hopefully we will be able to get it out there for added protection at some point in the near future. Thanks again!