04 Jun 2020

Stealing WordPress credentials

Yesterday WordFence published a scary article titled "Large Scale Attack Campaign Targets Database Credentials". Article describes a recent mass-scanning attack of WordPress sites. The purpose of the attack was stealing WordPress configuration files - and therefore usernames/passwords of WordPress admins.

As with the XSS campaigns, almost all of the attacks are targeted at older vulnerabilities in outdated plugins or themes that allow files to be downloaded or exported. In this case the attackers are attempting to download wp-config.php, a file critical to all WordPress installations which contains database credentials and connection information, in addition to authentication unique keys and salts.

Since WordFence is in the business of selling "the best WordPress security", they have little intention to explain how these attacks really work.

Instead, they blatantly advertise their product as a remedy for everything:

All Wordfence users, including sites running the free version of Wordfence, and Wordfence Premium, are protected against these attacks.

That's really not helpful, so let me fix that. smile
Read More