Hackers Now Attacking Unconfigured WordPress Sites

SonicWall Threat Research Labs recently received reports of attackers targeting newly installed WordPress sites. Attackers search for the following phrases:

WordPress
Setup Configuration File

If both phrases exist, then it is possible that the site has WordPress installed but has not been configured properly. In fact, doing a Google search for the above, results in:

After checking the first results returned by Google, we found 4 to unconfigured.

Typically, most of these sites returned show the following:

From the above, we can see that the attacker can specify any database they have control over.

The next step the attacker does is to set the first level admin account

Once the attacker has control over the WordPress website running in the target server, the attacker can do any of the following:

Use the WordPress website for hosting malware, exploit kits, etc.
Use the WordPress website as a launching pad to attempt control of the server. This can be done by executing specially crafted PHP scripts.

SonicWall Threat Research Team has the following signature to protect their customers from this type of attack:

WAF 1666: WordPress Setup Attack

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.