This Week’s Top 20 Attacked Themes and Who is Attacking Them

Today we’re publishing statistics on the attacks we are seeing on themes across the WordPress ecosystem. The Wordfence Firewall provides us with attack telemetry across a large number of sites that we protect. The data we’re sharing today is based on the following high level metrics:

  • An analysis of 15,949,826 total attacks across the past 7 days – from Monday August 1st to Monday August 8th (yesterday) on sites that Wordfence protects.
  • Attacks on 519,592 unique Wordfence customer websites.
  • Attacks originating from a total of 72,896 unique IPs. 

The “Theme Slug” below is a term used in WordPress parlance. It refers to the unique directory name that is created in the wp-content/themes/ directory for the theme when it is installed. This uniquely identifies themes in the WordPress ecosystem. To find out more about the theme, simply Google the ‘slug’.

The table shows the total attacks we recorded on that theme across all sites, the number of IPs that launched an attack on the theme and the number of unique sites that we recorded attacks for that targeted that theme. To be clear, that is not the number of sites actually running the theme. It’s simply the number of sites where someone tried to attack the theme, whether it was installed or not.

We explain why most of these themes are being attacked and what the “Bulk Disclosed” column means below the table.

Theme Slug Total attacks Unique IPs attacking Unique sites attacked Vulnerability Type Bulk Disclosed
churchope 172,782 2,055 63,115 LFI X
mTheme-Unus 163,644 2,303 90,803  LFI
lote27 135,948 1,922 60,638 LFI X
SMWF 121,725 1,466 85,228 LFI X
markant 118,962 1,399 83,418 LFI X
felis 118,437 1,431 81,800 LFI X
MichaelCanthony 114,503 1,389 79,059 LFI X
TheLoft 113,990 1,387 78,644 LFI X
parallelus-mingle 105,648 1,568 54,279  LFI
urbancity 96,810 1,678 56,952 LFI X
trinity 89,603 1,410 52,326 LFI X
authentic 82,692 1,817 37,312 LFI X
parallelus-salutation 73,025 1,628 35,886  LFI
elegance 68,928 1,009 21,726  LFI
awake 68,424 1,031 21,323  LFI
antioch 63,174 1,365 26,243 LFI X
modular 62,470 990 19,770 LFI
epic 53,903 925 17,400 LFI X
infocus 52,739 989 19,942  LFI
Newspapertimes_1 50,707 943 29,297  LFI


Who is attacking these themes?

Back in December, 2014 a researcher bulk disclosed a large number of WordPress theme vulnerabilities. The disclosure includes a script that targets a single site and tries to exploit vulnerabilities in a large number of themes. The vulnerabilities it tries to exploit are all file inclusion vulnerabilities.

In the comments at the top of the script that was disclosed, the researcher also includes an example of how to use the script with the powerful INURLBR scanner which he also wrote. This allows attackers and presumably other researchers to bulk find and exploit WordPress sites by trying to exploit the theme vulnerabilities disclosed.

This is the example included in the disclosure:

./inurlbr.php --dork 'inurl:/wp-content/themes/' -q 1,6 -s save.txt 

   --comand-all "php exploit.php _TARGET_"

In the statistics we’ve released above, all the themes marked with an X are included in the bulk disclosure that was made and which included the inurlbr exploit example. So we think what is happening is that so called “script kiddies” (unsophisticated hackers) are grabbing the researcher’s original example from December 2014 and trying to exploit old vulnerabilities in themes.

All these exploits are being blocked by the Wordfence firewall. It’s also likely that many, possibly all of the themes have now fixed this vulnerability, although we recommend that if you use any of these themes you verify with your vendor that your current version contains no vulnerabilities.

The INURLBR scanner has evolved since it was first released in July 2014 into a powerful tool that allows attackers to bulk locate and exploit WordPress websites and sites using other CMSs. The scanner includes:

  • Support for a huge range of search engines to “Google dork” and find targets for attack.
  • Bulk exploiting of targets once found.
  • The ability to use proxies to hide where queries and exploits are coming from.
  • The ability to rotate proxies to constantly change IP.
  • Ability to hide behind Tor.
  • It can send vulnerable sites to an IRC channel, presumably for botnet integration.
  • It includes many other features like regex matching/extraction and more.

It’s possible that many users of INURLBR are using the original bulk disclosure to test INURLBR before launching more sophisticated attacks. That may explain why those original themes are dominating our top 20 list of exploited themes.

At Wordfence we constantly mine attack data to discover how to better protect our customers. Upgrade to Wordfence Premium today to receive real-time firewall rule updates, premium support and much more.

We encourage you to comment and share this data with the larger WordPress community.

The post This Week’s Top 20 Attacked Themes and Who is Attacking Them appeared first on Wordfence.