08-23-2019, 10:02 PM
I've come across at least two instances of WordPress plugin attacks at another hosting Forum that fortunately were picked up by our server security filters and led to instant suspension of the sites. Otherwise it may have led to warnings to our Datacentre and possible blacklisting of our IP. Then today I found a really great blog article from WordFence that explains what must have happened. WordFence, a WordPress Security Specialist identified and is tracking an active attack campaign targeting a selection of new and old WordPress plugin vulnerabilities. The one I came across at the other hosting Forum was Contact Form 7 for example. Those attacks maliciously redirect traffic from the victims' sites to a number of potentially harmful locations. It's a real sad situation for users who used to be able to run WordPress sites in reasonable safety. It's no longer safe to have a WordPress site UNLESS you know what you are doing, are completely up to date with every plugin and theme in your site, and have proper security tools such as WordFence as part of your site.
You can read more about the WordFence blog article at the URL below:
https://www.wordfence.com/blog/2019/08/m...l-plugins/
Interesting part of the article is the behaviour analysis of the exploits. The attackers rotate their domains with frequency with new domains appearing every few days, and attacks involving older domains taper off. The examples given in the article are just the examples WordFence has been tracking. I could probably provide WordFence with more examples. Although I'm a bit too exhausted to do that. For me however the sophistication with which WordPress is being manipulated is so complex and threatening, I'm definitely going to think of new ways to publish blogs. I still have to start with this. OR one should only use VERY reliable plugins that are regularly updated and tested, and as few as possible. And of course have WordFence as a plugin as well.
Another interesting fact that came out for me during an experience with Contabo was that these guys are masters at manipulating IPs from different servers. Like with the old IP I had at Contabo, even with me being the owner, there were four other active domains registered with my IP number as active Websites - Namecheap was the Registrar. So basically if they had been used as part of the attack, then blacklisting systems would have immediately connected them up with the Contabo IP and those domains being situated on the VPS, which they had not been, and I don't have a real idea how that came about.
Maybe it's as simple as that when a Registrar allows a person to add name servers to a domain, there is no real authentication to make sure that the name servers point to a legitimate site. It can really point anywhere, including the victim's site that they have managed to infiltrate. So maybe some of this is the fault of Domain Registrars? They have domains listed with IPs that aren't really associated with the domains. Possibly there should be a new system created where if one adds one's name servers, there needs to be a verification of exactly what IP is associated with the name server to make sure it's not being used by rogue malicious attackers.
You can read more about the WordFence blog article at the URL below:
https://www.wordfence.com/blog/2019/08/m...l-plugins/
Interesting part of the article is the behaviour analysis of the exploits. The attackers rotate their domains with frequency with new domains appearing every few days, and attacks involving older domains taper off. The examples given in the article are just the examples WordFence has been tracking. I could probably provide WordFence with more examples. Although I'm a bit too exhausted to do that. For me however the sophistication with which WordPress is being manipulated is so complex and threatening, I'm definitely going to think of new ways to publish blogs. I still have to start with this. OR one should only use VERY reliable plugins that are regularly updated and tested, and as few as possible. And of course have WordFence as a plugin as well.
Another interesting fact that came out for me during an experience with Contabo was that these guys are masters at manipulating IPs from different servers. Like with the old IP I had at Contabo, even with me being the owner, there were four other active domains registered with my IP number as active Websites - Namecheap was the Registrar. So basically if they had been used as part of the attack, then blacklisting systems would have immediately connected them up with the Contabo IP and those domains being situated on the VPS, which they had not been, and I don't have a real idea how that came about.
Maybe it's as simple as that when a Registrar allows a person to add name servers to a domain, there is no real authentication to make sure that the name servers point to a legitimate site. It can really point anywhere, including the victim's site that they have managed to infiltrate. So maybe some of this is the fault of Domain Registrars? They have domains listed with IPs that aren't really associated with the domains. Possibly there should be a new system created where if one adds one's name servers, there needs to be a verification of exactly what IP is associated with the name server to make sure it's not being used by rogue malicious attackers.