One of the most popular and preferred content management systems (CMSes), WordPress allows professionals and novices to create amazing websites with ease, with over 50,000 plugins and themes. However, the same popularity attracts cybercriminals and their malicious ways to exploit WordPress and its freely available development options.
For branded websites, SEO spamming remains the top objective.
- Recently numerous vulnerable sites were leveraged by a new cybercrime gang to install scammy e-commerce stores with the purpose of lowering a site’s search engine ranking and reputation.
- Through brute force attacks, the attackers gained access to the site’s admin account, after which they overwrote the site’s main index file and appended malicious code.
- It was also discovered by researchers that attackers are injecting malicious PHP files into the WordPress sites to ensure a steady flow of SEO spam links.
WordPress plugins provide a convenient avenue to attack for cybercriminals, in addition to SEO spamming.
- Wordfence researchers reported an ongoing large-scale attack that involved mass scanning of WordPress sites with Epsilon Framework themes vulnerable to Function Injection attacks in the month of November.
- These vulnerable themes could lead to a full site take-over since these themes are installed on over 150,000 sites.
- In early November instances of vulnerable WordPress plugins such as Ultimate Member and Welcart e-Commerce were found to be affected by severe vulnerabilities that could let attackers hijack sites.
WordPress is not suffering alone
- Other CMSes such as Drupal and Joomla are also being targeted by cybercriminals.
- Admins of sites running on Drupal were also urged to plug a security gap that relied on the double extension” trick.
- According to Drupal devs vulnerability resided in the fact that the Drupal CMS does not sanitize certain file names, which allows some malicious files to slip through.
Unpatched vulnerabilities in WordPress core software are the main reason that cybercriminals target the platform. Hence, addressing the security issue at the right time and following the best-suggested cybersecurity practices is an answer to secure the WordPress platform from any virulent attacks.
To read more, please check eScan Blog
