WordPress Security Las Vegas -

Last week we shared the top 20 most attacked WordPress themes and an explanation of why many of them are targeted. This week we’ve dug deep into the data and we are publishing the top 50 most attacked WordPress plugins during the past 7 days. The data we’re sharing today is based on the following high level metrics: During the past week Wordfence blocked 20,644,496 unique attacks across all the sites we protect. We saw attacks from 73,629 unique IP addresses during the period. 20,622,975 attacks came from IPv4 addresses and 15,160 of those attacks were IPv6 addresses. Of the approximately 1.5 million active websites that we protect, 581,689 of those sites received attacks during the past week. The following is a list of plugins that received the most attacks during the past week – counted as the most recent 7 days starting on Tuesday evening August 16th and looking back 7 days. Once again we are showing the plugin ‘slug’ which is the unique directory name that the plugin uses when it installs into WordPress. This week we are ordering things slightly differently. We have the plugins ordered by number of unique sites that received attacks, labeled as “Sites attacked”. We feel this is a more useful order because it shows how widespread an attack is on a particular plugin, rather than just raw volume of attacks. “Total Attacks” indicates the total number of attacks that we logged on that plugin. “IPs” is the total number of unique IP addresses that an attack targeting the plugin originated from. “Type” is the type of attack – in most cases it’s a “Local File Inclusion” attack which allows an attacker to download any file they want to on the target system. The vast majority of files that are targeted are either the wp-config.php file which contains the database username, password and server name or /etc/passwd which contains the host operating system usernames. Where we’ve labeled the Type as “Shell” it indicates an attack that allows an attacker to upload a shell to the target site which gives them full remote access. These are the most serious vulnerabilities and attacks. All attacks are on vulnerabilities that are already publicly known. If you run any of these WordPress plugins, make sure that: You are using the newest version of the plugin. That version does not have any known vulnerabilities. You are running Wordfence with the Firewall enabled because we protect against all vulnerabilities shown. The list of the top 50 most attacked plugins during the past week follows: Plugin Sites attacked Total attacks IPs Type recent-backups 182,525 351,014 3,467 LFI wp-symposium 149,860 242,715 3,460 Shell google-mp3-audio-player 138,282 307,743 2,032 LFI db-backup 129,519 287,043 2,189 LFI wptf-image-gallery 107,000 131,938 2,846 LFI wp-ecommerce-shop-styling 103,471 131,011 2,887 LFI candidate-application-form 103,017 127,359 2,820 LFI wp-miniaudioplayer 91,546 196,557 1,381 LFI ebook-download 88,461 189,640 1,408 LFI ajax-store-locator-wordpress_0 86,051 119,192 1,396 LFI hb-audio-gallery-lite 82,041 105,618 1,505 LFI simple-ads-manager 70,683 166,131 6,476 Shell revslider 53,549 145,626 407 Shell inboundio-marketing 53,063 112,696 874 Shell wpshop 51,609 111,546 830 Shell dzs-zoomsounds 51,089 225,032 731 Shell reflex-gallery 49,853 111,624 699 Shell wp-mobile-detector 38,764 115,235 800 Shell formcraft 25,192 52,604 668 Shell sexy-contact-form 19,076 50,649 316 Shell filedownload 12,584 19,400 353 LFI plugin-newsletter 11,982 23,887 451 LFI simple-download-button-shortcode 11,558 21,502 427 LFI pica-photo-gallery 11,059 16,587 262 LFI tinymce-thumbnail-gallery 10,972 16,429 263 LFI dukapress 10,814 16,235 333 LFI wp-filemanager 10,756 16,634 331 LFI history-collection 10,427 24,371 607 LFI s3bubble-amazon-s3-html-5-video-with-adverts 10,312 24,011 595 LFI simple-image-manipulator 7,268 8,272 448 LFI ibs-mappro 5,555 18,738 448 LFI image-export 5,442 6,047 266 LFI abtest 5,431 5,885 297 LFI wp-swimteam 5,119 5,433 238 LFI contus-video-gallery 4,921 17,866 345 LFI sell-downloads 4,393 4,746 240 LFI brandfolder 4,268 4,619 230 LFI thecartpress 4,164 4,534 274 LFI advanced-uploader 4,066 4,351 203 LFI aviary-image-editor-add-on-for-gravity-forms 3,548 5,749 247 Shell wp-post-frontend 1,811 16,690 294 Shell [redacted]* 1,716 2,133 65 Shell mdc-youtube-downloader 1,039 5,517 199 LFI document_manager 915 4,450 148 LFI paypal-currency-converter-basic-for-woocommerce 797 1,133 129 LFI justified-image-grid 788 17,852 35 LFI cherry-plugin 539 3,919 31 Shell aspose-cloud-ebook-generator 531 720 25 LFI gwolle-gb 331 406 46 LFI *The redacted plugin in the list was removed before publication. It is an undocumented older shell upload vulnerability which is being targeted. The vulnerability does not exist in the current version of the plugin. Because it’s undocumented it is technically a zero day vulnerability, even though the vulnerability has been fixed in newer versions of the plugin, so we decided to remove the plugin name. Notes The large number of local file inclusion vulnerabilities that are being exploited is surprising. I should also note that many of these LFI’s were discovered by Larry Cashdollar who I had the pleasure of seeing speak at Defcon in Las Vegas 2 weeks ago. So I suspect that many of these are being used in an attack script of some kind which may explain their prevalence in the attacks we’re seeing. The clustering of LFI’s together and Shell exploits together in the list order is odd, but I don’t have a theory to explain that and there is no error in the data that accounts for that. It appears to be coincidence. The vulnerability in the Recent Backups plugin at the top of the list was disclosed in August 2015 and the plugin has now been removed from the repository, probably because it was not being maintained. The large number of exploits targeting this plugin are puzzling because as far as I can tell from archive.org, the plugin only had a few thousand installs. It may be because it is quite easy to “google dork” to find sites that are vulnerable and the abundance of target sites may make this an attractive target. As a final note, I’d like to add that this data is simply an indication of the volume of attacks that we are seeing on plugins in the wild across the large attack surface that is WordPress websites who are protected by Wordfence. It does not give any indication of whether a plugin in this list is more or less secure than others. It does not include data on how successful attacks on the plugins shown may or may not be. It is purely an indication of attack activity in the wild on WordPress plugins during the past week. Your comments are welcomed as always. The post Top 50 Most Attacked WordPress Plugins This Week appeared first on Wordfence. #WordPressSecurity #Wordfence #Research #Wordpress #Wordfence http://www.larymdesign.com