A new type of attack against WordPress is targeting fresh installations to get admin access and execute PHP code in the victim’s web hosting account, Wordfence reveals.
Dubbed WPSetup, the campaign was observed in May and June, and starts with the attackers scanning for a specific URL used by new installations of WordPress: /wp-admin/setup-config.php. If the URL contains a setup page, it means the victim has recently installed WordPress on their server but has yet to configure it.
Basically, it means that those who install WordPress either by unzipping the ZIP archive or through a one-click installer but don’t immediately complete the installation steps provide attackers with the necessary means to take control of the website.
“It is very easy for an attacker to take over not just the new WordPress website, but the entire hosting account and all other websites on that hosting account,” Mark Maunder, Wordfence founder and CEO, claims.
Any WordPress installation starts with selecting the language, followed by an introductory message, after which the user selects a database name, username, password and server for the new WordPress installation. At this point, an attacker who finds the fresh install can “click through the first two steps and then enter their own database server information,” Maunder argues.
The attack is successful even if the database is on their own server or contains no data, Wordfence says. A working WordPress installation on the victim’s site and admin access to it is all the attackers need. Once the final installation step is completed, WordPress confirms that it can communicate with the database, and presents the attacker with a dialogue to run the install.
At this point, the attacker can create the first admin-level account with their own information, hit install, and then sign into a fresh WordPress on the victim’s server, using their own database.
“Once an attacker has admin access to a WordPress website running on your hosting account, they can execute any PHP code they want in your hosting account,” Maunder notes.
Because WordPress allows admins to edit the code of themes and plugins, an attacker can simply launch the theme or plugin editor and insert PHP code, thus having the code executed the next time the page is refreshed.
“Once an attacker has admin access to a WordPress site, they can upload any plugin with any PHP code, including their own custom plugin. To execute their code, they spend a few minutes creating a basic WordPress plugin and then upload it to the site and activate it,” Maunder continues.
An attacker could execute code on the victim’s site and also install a malicious shell in a directory in the victim’s hosting account, thus gaining access to all files and websites on that account. This would also provide the attacker with access to any databases the WordPress installation has access to, and maybe also with access to other application data.
Logan Kipp, Product Evangelist at SiteLock, told SecurityWeek in an emailed comment that incomplete WordPress setups left online and publicly-accessible are more common than one might think. According to Kipp, even when warned of the risks involved, many customers wouldn’t understand that “reinstalling WordPress would not inhibit a persistent infection, especially if it spread outside of the WordPress file structure.”
“Cybercriminals aren’t always after just sensitive information like passwords and credit cards, a server’s resources are one of the many currencies of the cybercriminal underworld. Your server may be used to leverage attacks on other servers or website visitors. One of the questions I am frequently asked is “who would host a cybercriminal?” In most cases, the answer is regular people who aren’t well-informed that have become unwilling cohabitants to a cybercriminal,” he continues.
Weston Henry, Lead Security Analyst at SiteLock, tells SecurityWeek that attack itself is a well-known tactic and that long have web scanners been configured to find default install files and directories.
“The WordPress attackers capitalized on the sheer number of WordPress installs on the net, and took advantage of forgotten and unfinished installs. Site owners can protect themselves by preparing for and completing new WordPress installs as soon as they’re begun. Next, site owners can use a web application firewall to whitelist owner or developer IP addresses. An .htaccess file can also be used to limit access by IP address,” Henry said.
In a separate report, Wordfence revealed that the number of daily complex attacks against WordPress has increased to 7.2 million in June, up 32% from May. The average number of daily brute force attacks went up 36% compared to May, with a peak at over 41 million.
The report also reveals that the top 25 attacking IPs launched a total of 133 million attacks in June, a slight decrease from the 144 million attacks registered in May. The most attacked WordPress theme was mTheme-Unus, while the most targeted plugin was WP Mobile Detector. The top three attacking countries are Russia, U.S. and Ukraine, the report also reveals.
