A large-scale attack campaign has targeted over 900,000 WordPress websites through vulnerabilities in plugins and themes, WordPress security company Defiant revealed this week.
The attacks were initially discovered on April 28, but showed a massive spike on May 3, when more than half a million websites were hit. Likely the work of a single threat actor, the campaign is aimed at injecting the target websites with malicious JavaScript designed to redirect visitors to malvertising sites.
Responsible for only a small volume of attacks in the past, the threat actor has ramped up the operation, with over 20 million attacks registered on May 3. The researchers discovered that, over the past month, over 24,000 distinct IP addresses were used to attack more than 900,000 sites.
“Due to the sheer volume and variety of attacks and sites that we’ve seen targeted, it is possible that your site may be exposed to these attacks, and the malicious actor will likely pivot to other vulnerabilities in the future,” Defiant says.