Wordfence analysts have detailed a campaign where over 1.6 million WordPress sites are being targeted. Threat actors here are taking over sites by compromising bugged plugins and themes.

While most of the plugins and themes have received patches, it’s the job of site admins to update them and keep checking. Analysts have listed how to manage sites from this attack guide, so the sites can be protected.

WordPress Sites Under Attack

As plug-ins and themes add more value to WordPress sites, many admins connect them for extra productivity. But, if they’re not maintaining them in the latest version, they can make the site prone to cyberattacks.

This can be so vigorous, as detailed by the Wordfence analysts in their recent post. They have noticed a malicious campaign where the threat actors were seen targeting over 1.6 million WordPress sites through 16,000 IP addresses, having four specific plugins and fifteen Epsilon Framework themes. These are;

  • PublishPress Capabilities
  • Kiwi Social Plugin
  • Pinterest Automatic
  • WordPress Automatic

Vulnerable Epsilon Framework themes involve;

  • Shapely
  • NewsMag
  • Activello
  • Illdy
  • Allegiant
  • Newspaper X
  • Pixova Lite
  • Brilliance
  • MedZone Lite
  • Regina Lite
  • Transcend
  • Affluent
  • Bonkers
  • Antreas
  • NatureMag Lite

While most of the themes and plugins had received patches way back in 2018, some have received updates recently. Also, NatureMag Lite is the only theme that has no update yet, so still vulnerable. Analysts said the attacks have spiked significantly in the last couple of days.

They said the attackers were changing the users_can_register option in targeted WordPress sites to “enabled” and setting the default_role option in them to to “administrator“, thereby gaining admin privileges even by registering as a general subscriber.

To know whether your site is hijacked or not, review the member’s list for any suspicious additions of new accounts as admins, and change the Membership and default role setting. Update your plug-ins to avoid any hack.

But if your site is already compromised, updating them won’t do anything now, unless you remove the rogue admin accounts. And since the NatureMag Lite has got no patch yet, you should uninstall it until an update is available. Follow the detailed clean-up guides for cleaning your site.


Please enter your comment!
Please enter your name here