WP3.XYZ Malware Campaign Compromises Over 5,000 WordPress Sites

A recent malware campaign has compromised more than 5,000 WordPress websites, leading to the creation of unauthorized administrator accounts, installation of malicious plugins, and data exfiltration.

Details of the Attack

The attack involves a script loaded from the domain wp3[.]xyz, which performs the following actions:

• Creates a rogue administrator account with the username wpx_admin and a hardcoded password.
• Downloads and activates a malicious plugin from the same domain.
• Exfiltrates sensitive data, including administrator credentials and logs, to the attacker's server.

Recommendations for Website Administrators

To protect your WordPress site from this threat, consider the following measures:

• Block the domain wp3[.]xyz using firewalls or security tools.
• Review all administrator accounts for unauthorized entries and remove any suspicious accounts.
• Audit installed plugins and themes, removing any that are unused or appear suspicious.
• Enhance Cross-Site Request Forgery (CSRF) protections by implementing unique token generation, server-side validation, and periodic token regeneration.
• Implement multi-factor authentication (MFA) to add an extra layer of security to administrator accounts.

Conclusion

This widespread attack underscores the importance of robust security measures for WordPress sites. Regular audits of user accounts and installed plugins, along with the implementation of advanced security protocols, are essential steps in safeguarding your website against such threats.

Sources

• WP3.XYZ malware attacks add rogue admins to 5,000+ WordPress sites
• Over 5000 WordPress sites caught in WP3.XYZ malware attack