Large-Scale Attempts to Attack WordPress Sites

Published on 06 May 2020

Updated on 06 May 2020

Large-scale attempts to attack WordPress sites have been observed by Wordfence, a cybersecurity firm which runs a WordPress security plugin.

The attacks leverage Cross-Site Scripting (XSS) vulnerabilities in outdated WordPress plugins to implant JavaScript code. This code redirects users to malicious websites and further leverages logged-in administrators to create backdoor accounts without their knowledge.

Administrators and site owners using the affected products are advised to enable automatic updates or perform regular updates of WordPress and its plugins to protect against known vulnerabilities. Administrators and site owners are also advised to deactivate and delete any plugins that have been removed from the WordPress plugin repository.

More information is available at: