ZDNet tells us that WordPress websites are under a major attack and that the attackers are creating fake admin accounts to take over websites. The attacks are happening due to outdated versions of various plugins. These attacks started in July of this year, but were fairly benign at the start as they were only used to show ads or redirect users to other websites.
Now the attacks are being used to generate admin accounts and possibly to take over your website entirely from the admin panel.
If you have any of these plugins installed update or remove them immediately:
- Bold Page Builder
- Blog Designer
- Live Chat with Facebook Messenger
- Yuzo Related Posts
- Visual CSS Style Editor
- WP Live Chat Support
- Form Lightbox
- Hybrid Composer
- All former NicDark plugins (nd-booking, nd-travel, nd-learning, etc…)
Once you’ve removed or updated all of the affected plugins, check who had admin privileges on your website. Admins who you don’t recognize you should remove immediately.
These attackers are currently creating an account with the following credentials:
- Username: WPServices or wpservices
- Email: firstname.lastname@example.org
- Password: w0rdpr3ss
You should also update your WordPress to the latest version and run a WordPress security scan just to be safe.
You should also always be running backups of your WordPress website or have someone / a service that is doing that for you just in case an attack like this ever succeeds.
If you are not sure if you are affected or you think you have been infected and don’t know how to fix it, please contact us and we’ll do our best to help.