Wordfence analysts have summed up the results of 2020 and report that pirated WordPress plugins and themes have become the main sources of malware distribution among WordPress sites.The experts write that last year their malware scanner detected more than 70,000,000 malicious files on more than 1,200,000 WordPress sites. At the same time, 206,000 sites (over 17% of the total) were infected with malware due to the use of various pirated (nulled) plugins and themes.
Most of these 206,000 resources (154,928 sites) have been affected by WP-VCD malware that has existed since 2017. Over the years, researchers have repeatedly noted that this malware does not use vulnerabilities to penetrate other people’s sites; instead, malware operators rely on human greed, creating free and malicious clones of popular themes and plugins.
“This malicious campaign was so successful that it accounted for 13% of all infected sites in 2020”, – said Wordfence specialists.
Obviously, pirated themes and plugins are not the only source of compromise on WordPress sites. Among other methods of attacks, researchers identify brute force and exploits for various bugs.
Thus, last year there were more than 90,000,000,000 malicious and automated attempts to log in to the system. These attacks were launched from 57,000,000 IP addresses, at a rate of 2,800 login attempts per second. Wordfence blocked 4.3 billion attempts to exploit vulnerabilities from over 9.7 million unique IP addresses in 2020.
The diagram shows the five most common attacks over the course of the year:
- Directory Traversal attacks, including relative and absolute paths, made up 43% of all vulnerability exploit attempts, at 1.8 billion attacks. While the majority of these were attempts aimed to gain access to sensitive data contained in site wp-config.php files, many were also attempts of local file inclusion (LFI).
- SQL Injection was the second most common category of vulnerabilities with 909.4 million attacks that consisted 21% of all attacks.
- Malicious file uploads intended to achieve Remote Code Execution (RCE), and were the third most commonly used category of vulnerabilities with 454.8 million attacks that consisted 11% of all number of attacks.
- Cross-Site Scripting (XSS) was the fourth most commonly attacked category of vulnerabilities at 8% of all attempts with 330 million attacks.
- Authentication Bypass vulnerabilities were the fifth most commonly attacked category of flaws at 3% of all attempts with 140.8 million attacks.