Lately, it seems that not a week goes by without fresh news of a vulnerability that could unleash a wave of attacks on servers and devices around the world. But some weeks are worse than others. On December 10th, the studio behind the ever-popular sandbox game Minecraft published a blog post detailing a bug it identified in Log4j. The bug would allow an attacker to take control of a machine running the vulnerable software.
The problem is that Log4j is one of the most-used open-source libraries
ever created, and that means there aren't many servers or devices that aren't affected by the threat. But the announcement wasn't bad news for everyone. WordPress site owners, for example, breathed a heavy sigh of relief that the 18-year-old CMS isn't on the list of software vulnerable to the Log4j threat.
That doesn't mean, however, that WordPress site owners should relax, though. Right around the same time that the Log4j catastrophe started
hitting the headlines, another threat emerged that's no less serious. And it's aimed squarely at WordPress websites. As of the 10th, reports indicated that at least 1.6 million WordPress sites were under active attack, and that could just be the beginning.
The attackers are trying to exploit a variety of vulnerable WordPress plugins and themes. And when they succeed, they gain full administrator access to the affected website. So, site administrators have their work cut out for them to see if their sites are vulnerable to attack. And to help them do it here's a list of the known vulnerable plugins and themes, and an overview of what to do to secure a vulnerable site.
One of the reasons the current attack on WordPress sites is so widespread is that the attackers are targeting a handful of vulnerabilities at once instead of a single one. And frustratingly, some of the vulnerabilities received patches as early as 2018 – which indicates a whole lot of site administrators who haven't kept up with the available plugin updates.
So far, the list of plugins being targeted include:
The good news about this list is that every one of the affected plugins has a patch available that fixes the vulnerability. That means WordPress sites using them can update today and prevent attackers from exploiting their sites if it hasn't happened already.
Unfortunately, plugins aren't the only things that the attackers are targeting right now. They're also targeting a vulnerability in the Epsilon
Framework, which is a common set of underlying code that a variety of WordPress themes rely on. But again, the vast majority of the affected themes have patches available that correct the problem that makes them vulnerable. All but one, that is.
The affected site themes are:
With such a long list of vulnerable themes, the scope of the potential attack is far larger than what security researchers have recorded so far. But updating the affected themes to the most recent version can prevent
attackers from gaining access to a previously vulnerable site.
The only known exception is the NatureMag Lite theme. So far, there's no patch available for that one. That means sites using it should replace it with a different theme immediately, and remove the vulnerable version from their WordPress installation. Unfortunately, such drastic action is the only thing users of that particular theme can do to secure their sites right now.
Because some of the vulnerabilities listed here aren't new, any site that used any of the vulnerable plugins or themes may have already gotten
hit by the attack. And although many webmasters assume that seeing no physical changes to their site's contents is a sign that it's safe, they shouldn't dismiss the threat so easily.
That's because the attackers aren't necessarily trying to deface websites. They're trying to give themselves access to their administrative consoles and to do so without getting caught. From there, they could use that
access to harvest user data or make other unauthorized changes to the site's underlying code.
The good news is that the way the attackers are doing this leaves traces that webmasters can find if they know what they're looking for. What
they're doing is enabling the setting "users_can_register" and altering the "default_role" setting to "Administrator". From that moment forward, every new user account added to an affected site would have administrative access by default.
So, the first thing to do to see if a site's been compromised is to go to the general setting page of the WordPress administrative console, at:
http://yourdomainname.com/wp-admin/options-general.php
On that page, make sure that user registration is unchecked (unless your site allows registrations on purpose), and that the default role is set to "Subscriber" or whatever role is appropriate for the site in question. If either of the options were altered from the correct settings, there's a good chance the site's been hacked.
In this case, there are only two real options for WordPress site owners if they discover evidence that an attacker has gained administrator access to their site. For sites that don't collect user data or that aren't mission-critical (like personal blogs and the like), it may suffice to go through the site's user list and remove any accounts created without authorization.
At the very least, this will cut off the attacker's administrative access going forward. The only problem then is trying to figure out if any other changes have been made to the site itself. The trouble is that someone with administrative access could have made changes to the site's underlying code that are near-impossible to detect.
These attacks can hinder various on-site operations. For businesses, the problem could affect crucial processes, including the organization of expense categories and even customer data privacy.
However, for some people, the prospect of such undetected changes isn't a big deal. But unless the affected site is so unimportant that it wouldn't matter if it got defaced, looted, or destroyed, leaving well enough alone isn't a viable option.
So, most owners of compromised websites will want to reinstall WordPress and restore their content from a backup. In a perfect world, a backup from before the vulnerable plugin or theme was added is the best bet – but in the real world, the age of the vulnerabilities means that may not be possible.
The first step in cleaning up a hacked WordPress site for which no clean backup is available is a counterintuitive one. It's to take a complete backup of the site as it exists before attempting a cleanup. This is to reduce the
chances of doing any irreparable damage or losing irreplaceable content in the process of cleaning up the site.
The next step is to get to work rolling the WordPress site back to
its defaults. To do so:
Most WordPress site owners – if they act fast – won't have to do anything but update their plugins and themes to keep their site secure. But for the unlucky, a complete site reinstallation may be the only way to undo the potential damage caused by this latest wide-ranging WordPress attack. And after doing that, it's a safe bet that affected webmasters won't forget to update their site plugins and themes going forward. Doing that is the easiest way to keep a WordPress site safe from harm, and it sure beats the alternative.