Today we’re publishing statistics on the attacks we are seeing on themes across the WordPress ecosystem. The Wordfence Firewall provides us with attack telemetry across a large number of sites that we protect. The data we’re sharing today is based on the following high level metrics:
- An analysis of 15,949,826 total attacks across the past 7 days – from Monday August 1st to Monday August 8th (yesterday) on sites that Wordfence protects.
- Attacks on 519,592 unique Wordfence customer websites.
- Attacks originating from a total of 72,896 unique IPs.
The “Theme Slug” below is a term used in WordPress parlance. It refers to the unique directory name that is created in the wp-content/themes/ directory for the theme when it is installed. This uniquely identifies themes in the WordPress ecosystem. To find out more about the theme, simply Google the ‘slug’.
The table shows the total attacks we recorded on that theme across all sites, the number of IPs that launched an attack on the theme and the number of unique sites that we recorded attacks for that targeted that theme. To be clear, that is not the number of sites actually running the theme. It’s simply the number of sites where someone tried to attack the theme, whether it was installed or not.
We explain why most of these themes are being attacked and what the “Bulk Disclosed” column means below the table.
| Theme Slug | Total attacks | Unique IPs attacking | Unique sites attacked | Vulnerability Type | Bulk Disclosed |
| churchope | 172,782 | 2,055 | 63,115 | LFI | X |
| mTheme-Unus | 163,644 | 2,303 | 90,803 | LFI | |
| lote27 | 135,948 | 1,922 | 60,638 | LFI | X |
| SMWF | 121,725 | 1,466 | 85,228 | LFI | X |
| markant | 118,962 | 1,399 | 83,418 | LFI | X |
| felis | 118,437 | 1,431 | 81,800 | LFI | X |
| MichaelCanthony | 114,503 | 1,389 | 79,059 | LFI | X |
| TheLoft | 113,990 | 1,387 | 78,644 | LFI | X |
| parallelus-mingle | 105,648 | 1,568 | 54,279 | LFI | |
| urbancity | 96,810 | 1,678 | 56,952 | LFI | X |
| trinity | 89,603 | 1,410 | 52,326 | LFI | X |
| authentic | 82,692 | 1,817 | 37,312 | LFI | X |
| parallelus-salutation | 73,025 | 1,628 | 35,886 | LFI | |
| elegance | 68,928 | 1,009 | 21,726 | LFI | |
| awake | 68,424 | 1,031 | 21,323 | LFI | |
| antioch | 63,174 | 1,365 | 26,243 | LFI | X |
| modular | 62,470 | 990 | 19,770 | LFI | |
| epic | 53,903 | 925 | 17,400 | LFI | X |
| infocus | 52,739 | 989 | 19,942 | LFI | |
| Newspapertimes_1 | 50,707 | 943 | 29,297 | LFI |
Who is attacking these themes?
Back in December, 2014 a researcher bulk disclosed a large number of WordPress theme vulnerabilities. The disclosure includes a script that targets a single site and tries to exploit vulnerabilities in a large number of themes. The vulnerabilities it tries to exploit are all file inclusion vulnerabilities.
In the comments at the top of the script that was disclosed, the researcher also includes an example of how to use the script with the powerful INURLBR scanner which he also wrote. This allows attackers and presumably other researchers to bulk find and exploit WordPress sites by trying to exploit the theme vulnerabilities disclosed.
This is the example included in the disclosure:
./inurlbr.php --dork 'inurl:/wp-content/themes/' -q 1,6 -s save.txt \ --comand-all "php exploit.php _TARGET_"
In the statistics we’ve released above, all the themes marked with an X are included in the bulk disclosure that was made and which included the inurlbr exploit example. So we think what is happening is that so called “script kiddies” (unsophisticated hackers) are grabbing the researcher’s original example from December 2014 and trying to exploit old vulnerabilities in themes.
All these exploits are being blocked by the Wordfence firewall. It’s also likely that many, possibly all of the themes have now fixed this vulnerability, although we recommend that if you use any of these themes you verify with your vendor that your current version contains no vulnerabilities.
The INURLBR scanner has evolved since it was first released in July 2014 into a powerful tool that allows attackers to bulk locate and exploit WordPress websites and sites using other CMSs. The scanner includes:
- Support for a huge range of search engines to “Google dork” and find targets for attack.
- Bulk exploiting of targets once found.
- The ability to use proxies to hide where queries and exploits are coming from.
- The ability to rotate proxies to constantly change IP.
- Ability to hide behind Tor.
- It can send vulnerable sites to an IRC channel, presumably for botnet integration.
- It includes many other features like regex matching/extraction and more.
It’s possible that many users of INURLBR are using the original bulk disclosure to test INURLBR before launching more sophisticated attacks. That may explain why those original themes are dominating our top 20 list of exploited themes.
At Wordfence we constantly mine attack data to discover how to better protect our customers. Upgrade to Wordfence Premium today to receive real-time firewall rule updates, premium support and much more.
We encourage you to comment and share this data with the larger WordPress community.
The post This Week’s Top 20 Attacked Themes and Who is Attacking Them appeared first on Wordfence.
Read More