wordpress, cms, site, website, app, application, blog,
content, design, editorial, internet, logo, mobile, cell,
modern, online, phone, publish, screen, smart, software,

A malvertising campaign against WordPress sites has been
ongoing since July. It exploits vulnerabilities in
WordPress plugins to gain control of websites.
The campaign initially redirected users to malicious
websites. It has now evolved to install backdoors in the
compromised sites by creating a new user with admin

An ongoing malvertising campaign against millions of
WordPress websites has been observed by researchers. This
attack capitalizes on the vulnerabilities in the older
plugins of WordPress to inject code in the compromised
sites. It creates rogue WordPress admin accounts to gain
complete control of the websites.

How does the attack work?

Using vulnerabilities in certain old WordPress plugins,
the threat actors plant scripts in the WordPress site.
The script redirects users to malicious sites and displays
unwanted pop-ups. When the user is in the redirected site,
attackers introduce malicious droppers and create backdoors.

This campaign has also recently evolved to create a new
administrator with a JavaScript payload it delivers. A
rogue admin with wpservices as name,
wpservices@yandex[.]com as email address, and w0rdpr3ss as
the password is created.
With access to admin privileges in the compromised site,
attackers can create a backdoor and perform other

One IP address is behind most of the attacks

Researchers from Wordfence observed that the attacks were
initially from multiple IP addresses. Later on, all the IP
addresses stopped attacking except for one —
a Rackspace server that is believed to be hosting
compromised websites.

How to protect your website from the attacks?

A report by Imperva states, 98% of WordPress
vulnerabilities are related to plugins, which extend the
functionality and features of a website or a blog.
Anyone can create a plugin and publish it — WordPress is
open-source, easy to manage, and there is no enforcement or
any proper process that mandates minimum security standards
(e.g. code analysis). Hence, WordPress plugins are prone to

This means WordPress users and admins must ensure that the
latest versions of plugins are installed on the websites.
It is also recommended that WordPress admins enable two-
factor authentication for an added layer of security.

According to John Opdenakker, an ethical hacker, “It’s
certainly a good idea to use a web application firewall to
help block cross-site scripting (XSS) attacks.”