A few days ago, Websense® SecurityLabs™ detected a large-scale malware campaign mainly targeting WordPress pages. We have received many questions about who and which websites are in danger and how to protect against this attack. While many forum posts and comments speculate that outdated WordPress versions are at fault, unfortunately, we found that this is not true. We dug a bit into this subject and analyzed 30,000 domains to see what types and versions of CMS (Content Management System) have been compromised so far.
We checked several aspects of each of these compromised websites and concluded that most of them are served by Apache webserver and PHP environment. As you can see in the pie chart below, PHP dominates the server side:
Digging a little deepter, we were also able to examine which CMS were victims of the attack. Initially, when we discovered the attack, we found only WordPress sites, and after a week or so, the picture did not change that much. WordPress still serves the majority of the compromised websites; however, we did see a small amount of other CMS as well. We also noticed that an increasing number of Joomla sites are also affected, with all other content managers making up a tinier slice.
The big question still remains: Is my Website protected if I use the latest WordPress version? Checking all WordPress sites, we conclude that most of the compromised sites were in fact using the most recent version, which indicates that having the latest version of WordPress does not make you immune to this threat.
So how can you protect yourself? Here are some of the dominant attack vectors that websites using the latest WordPress version are likely to be exploited through:
- Weak passwords / stolen credentials
- Vulnerable third-party modules used in WordPress
- Security holes in the underlying server infrastructure, such as in the database server or the server side scripting engine (PHP in this case)
Websense Security Labs strongly recommends that website owners perform security audits and fix all problems to keep attackers away from their sites. Websense customers are protected from injected websites with our Advanced Classification Engine, or ACE, which detects compromised websites in real time.