Thousands of WordPress websites hit in new malware attack, here's what we know

News
By
published

No one is quite sure how the sites got infected with malware

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
(Image credit: Shutterstock/monticello)
  • Security researchers find more than 5,000 websites carrying a piece of malicious code
  • The malware installs a plugin that steals login credentials and sensitive data
  • The researchers recommended a number of mitigation measures

Thousands of WordPress websites were observed running malware able to create a rogue admin account and exfiltrated sensitive data through malicious plugins.

A new report from security researcher Himanshu Anand from c/side claims said at least 5,000 WordPress websites were found hosting a malicious script that creates an unauthorized admin account with a username and password that can be found in the code.

After creating the account, the script will download a malicious WordPress plugin, and run it. The plugin, which wasn’t named, is tasked with exfiltrating sensitive data to a remote server. The data being pulled includes admin credentials and operation statuses, it was added.

How to defend

The researchers could not determine exactly how the malicious code ended up on these websites.

“So far, we haven't identified a common denominator, and our investigation is ongoing,” Anand said.

Those interested in double-checking if their website is secure or not should visit one of these websites, the researcher advised:

- PublicWWW.com
- URLScan.io

To defend against the attacks, c/side recommends blocking the domain https://wp3[.]xyz in firewalls or security tools, auditing WordPress admin accounts for unauthorized users, removing suspicious plugins and validating existing ones, and strengthening CSRF protections and implementing multi-factor authentication (MFA). Ultimately, they recommend using c/side’s services, too.

Being the most popular website builder on the planet, WordPress is constantly being targeted by threat actors. However, since the platform is secure for the post part, attackers are focused on third-party plugins and themes, especially free-to-use ones, which often don’t have the right software support.

As a general rule of thumb, businesses should only use plugins and themes from reputable sources and with a strong supporting community. They should also make sure to uninstall any plugins they are not using, and to keep the remaining ones up to date.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over 10,000 WordPress sites found showing fake Google browser update pages to spread malware
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
WordPress users targeted by devious new credit card skimmer malware
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another major WordPress plugin has been hacked to try and hijack your sites
Latest in Security
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
A pair of hands using a keyboard
Microsoft SharePoint hijacked to spread Havoc malware
Latest in News
Bang & Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
Apple Watch Series 10
Apple unveils new Apple Watch bands – here's what's in the Spring 2025 collection
iPad Air M3
Apple makes one hardware change to the iPad Air that might be the best indicator of its true lightweight tablet intentions
Shure MoveMic 88+ lifestyle image
Shure's tiny MoveMic 88+ gives creators a cheap and easy way to record crystal clear audio on a smartphone
An operator fires a saw blade from a weapon
Call of Duty: Black Ops 6 Season 3 gets two-week delay, will now release in April
Apple iPad A16
Apple's new entry-level iPad ups the performance for the same price, but doesn't support Apple Intelligence
More about security
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.

Microsoft Teams and other Windows tools hijacked to hack corporate networks
Illustration of a hooked email hovering over a mobile phone

AWS misconfigurations reportedly used to launch phishing attacks
Sony Bravia 9 backlight demo showing images on screen and on raw backlight

TCL overtaking LG's premium TV sales is the inevitable result of OLED's biggest problem and mini-LED's biggest strength
See more latest
Most Popular
Copilot on a laptop
Microsoft quietly updates Copilot to cut down on unauthorized Windows activations
Shure MoveMic 88+ lifestyle image
Shure's tiny MoveMic 88+ gives creators a cheap and easy way to record crystal clear audio on a smartphone
Apple Watch Series 10
Apple unveils new Apple Watch bands – here's what's in the Spring 2025 collection
Vado SL 2
Specialized says calling its new Vado SL 2 Alloy an e-bike is still an insult – here's why
Bang & Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
Next-Gen Google TV
Google TV's Gemini Live support and other updates seemingly confirmed by new user survey – here's what to expect
iPad Air M3
Apple makes one hardware change to the iPad Air that might be the best indicator of its true lightweight tablet intentions
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
An operator fires a saw blade from a weapon
Call of Duty: Black Ops 6 Season 3 gets two-week delay, will now release in April
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks