WordPress Suffers Serious Breach, Over 15,000 User Sites Compromised

Hackers breached over 15,000 WordPress Sites that redirected users to bogus Q&A sites and allowed them to falsely elevate their SEO ranking status.

By Jennifer Hollohan | Published

WordPress is the most recognizable and popular platform for hopeful bloggers and experienced website owners alike. But, unfortunately, it looks like even WordPress is not immune to hackers. The platform just released news of a recent compromise of thousands of sites.

The data breach impacted over 15,000 WordPress sites. The company believes the motive is related to SEO search results. And it is the most comprehensive hacking campaign WordPress has experienced. 

Hackers embedded codes into the WordPress sites to redirect visitors to fake Q&A sites. Ben Martin, a Sucuri researcher, released a report last week about the breach. He said, “these malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines.” 

According to The Hacker News, “it’s not immediately clear how the WordPress sites are breached, and Sucuri said it did not notice any obvious plugin flaws being exploited to carry out the campaign.” However, the damage done to WordPress sites was quite extensive. The hackers modified far more files than is usually the case in other breaches. 

On each WordPress page, they manipulated over 100 files (on average). This volume stands in stark contrast to most hacks. In other instances, hackers work hard to leave as little visible footprint as possible.

wordpress uber hacker

 But this time, the damage was significant. “Some of the most commonly infected pages consist of wp-signup.php, wp-cron.php, wp-links-opml.php, wp-settings.php, wp-comments-post.php, wp-mail.php, xmlrpc.php, wp-activate.php, wp-trackback.php, and wp-blog-header.php.” By targeting this many pages, the malware could redirect visitors.

There is one bright spot in all of this. And that is, “the redirects don’t occur if the wordpress_logged_in cookie is present or if the current page is wp-login.php (i.e., the login page) so as to avoid raising suspicion.” So, if your site meets that criteria, it is likely safe. 

It appears that the end goal of this campaign was to boost traffic to fake sites and improve the search ranking of those sites. This step would increase organic search traffic after the fake sites did better in search results. And while the end result is clear, how the attackers pulled off the heist is not. 

“Sucuri said it did not notice any obvious plugin flaws being exploited to carry out the campaign.” So, they believe the hackers used brute force against the administrator accounts. The compromise of administrator accounts is troubling, but good news the WordPress plugins remain secure.

There are a few steps you can take to protect your WordPress website. (And many other online accounts, for that matter). One is to enable two-factor identification on your accounts.

The second is to ensure all software is up to date. This step is probably the most difficult one. As we all get busy, it is easy to delay those necessary updates.

But taking a few extra moments to secure your account is worthwhile. You may not be able to protect against all future attacks. However, it will make you less of an easy target for hackers.