Hackers Target Over A Million WordPress Sites To Steal Credentials


As more businesses turn over the internet, hackers have also beefed up their malicious campaign targeting more than a million WordPress websites, according to research.

Reports released from wordfence recently showed that between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files.

It indicated that a previously reported XSS campaign is launching new attacks using familiar IP addresses. The report further revealed top 10 attacking IP addresses in the campaign. Websites that are most vulnerable are those whose server is configured to allow remote database access; an attacker with your database credentials could easily add an administrative user, exfiltrate sensitive data, or delete your site altogether.

The report adds that, even if your site does not allow remote database access, an attacker who knows your site’s authentication keys and salts may be able to use them to more easily bypass other security mechanisms.

What you must do to not fall prey to hackers:

1. Use WordPress Anti-virus and Security plugin:

The security of your wordpress website is very important for your users, as it creates confidence when users are on your site. After taking care of the site’s SSL/TSL, which secures your site against Eavesdropping and subsequently hi-jacking, the next thing is an Anti virus Security Plugin.

There are a lot of them out there, like BulletProof Security, Sucuri Security etc. But today I am recommending WordFence. This is a very good Anti-virus and Security plugin. Wordfence has a staggering 3 million downloads.

It is regularly updated to fight latest vulnerabilities, it has malware scanner to block malicious request, it protects against deliberately infested plugins that might take down your site or corrupt the files.

It is a freemium plugin, and the free version is still good enough.

2. NEVER install WP using Fantastico unless you want to get hacked.

3. USE Softaculous or manual install (download from www.wordpress.org). Our WordPress Xclusive training kit teaches how to install wordpress using softaculous ( # for Nigerians only)

4. USE a difficult to guess:
MySQL Database name
Password: 17 characters with minimum 3 symbols e.g. !$/%@#

Hope this helps!