🟠 High | Source: The Hacker News
A cybercrime group accidentally left their attack infrastructure publicly accessible for three weeks, exposing their tools, logs, and a target list of over 1.4 million WordPress sites. Researchers were able to observe the full mechanics of a mass WordPress backdooring campaign, tracked as WP-SHELLSTORM. While the number of successfully compromised sites is lower than the target list, the exposure reveals the industrial scale at which these operations are conducted.
Security Architect’s Take: If your organisation hosts WordPress sites on cloud infrastructure, audit for the WP-SHELLSTORM indicators of compromise immediately and review Web Application Firewall rules to block known malicious plugin or theme upload patterns. Ensure WordPress instances are covered by file integrity monitoring and that admin interfaces are not publicly exposed without MFA.
Original advisory: Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites