WordFence Security released a post back on February 2 that detailed their findings on a sophisticated exploit against WordPress sites. We have discussed the importance of proper WordPress security on our blog several times in the past. See the links below to review those articles.
You can see the video that WordFence created here.
This exploit can be used to load 47 tools to further compromise the affected web site. These tools allow the attacker to do the following:
- Launch attack shells that let attackers manage the file system.
- Access the database through a well designed SQL client.
- View system information.
- Mass infect the system.
- Perform a Denial of Service attack on other systems.
- Find and infect all Content Management Systems.
- View and manage user accounts both on CMS’s and the local operating system.
- An FTP brute force attack tool.
- A Facebook brute force attack tool.
- A WordPress brute force attack script.
- Tools to scan for config files or sensitive information.
- Tools to download the entire site or parts of the site.
- The ability to scan for other attackers shells.
- Tools to change site configuration files to host malicious code.
WordFence also reported on the Aethera botnet that is attempting to brute force the passwords for WordPress sites.
You can find a more technical explanation of the underling PHP code base used in the attack in a recent article on Naked Security.
I have tried WordFence, Sucuri, and BulletProof on different sites, and WordFence is my favorite. They all have advantages. Sucuri, for instance, runs on other CMS websites. My recommendation for WordPress site owners and developers is to install one of these fine plug-ions to every WordPress site you own or manage, and keep stuff like this from happening in the first place.
- WordFence – An Attack Platform Infecting WordPress Sites
- WordFence – Aethera Botnet
- Naked Security – PHP ransomware attacks blogs, websites