Mark Maunder, CEO Wordfence / Feedjit Inc
Mark Maunder, CEO Wordfence / Feedjit Inc

Security vendor Wordfence has reported that hackers are zeroing in on fresh WordPress sites within 30 minutes of their being set up. The details came in a blog from Mark Maunder, CEO, Wordfence on the company site.

Maunder references a presentation at Black Hat 2017 which recently took place in Las Vegas. Security researcher Hanno Böck demonstrated a method to detect new WordPress sites by monitoring for new security certificates. What is disturbing about this attack is that most sites will not be complete within the 30 minute window. This means hackers with automated tools can detect and start to compromise a site before it is complete.

How do they detect WordPress sites?

There is a five step process that allows this attack to work. It is:

  1. You order a new website hosting package from a hosting provider. Your order includes a free or paid SSL certificate for your domain.
  2. The SSL certificate is issued once your order completes.
  3. 30 minutes later, attackers see your fresh website listed in the certificate transparency report.
  4. At that time – 30 minutes later – you are halfway through completing your website setup and are just beginning to install WordPress.
  5. An attacker is constantly monitoring your new domain, and as soon as they see the setup script, they run it, install a back door and then reset your site to the state it was in so that you don’t notice.

It is not just the speed of this attack that will worry webmasters. It is the fact that they are using publicly available tools to detect the new SSL certificate and then attacking immediately. This speed of attack is new and shows how security is continuing to shift away from the defenders and into the hands of the attackers.

As Maunder highlights in his blog, attacking the WordPress setup program is not difficult. There are a number of attacks out there that do this. In May and June, Wordfence saw a significant increase in these types of attacks. A successful attack gives the hacker control of the WordPress installation. It also hands them control of the entire hosting account and all other websites on that account.

What can be done about this?

Luckily Maunder has given advice on how to limit this attack in his blog. There are two things that can be done. The first is to limit access to the site based on IP address. This helps stop attacks until the site is complete, tested, secure and ready for deployment.

The second is to ensure that there is, at the minimum, some form of basic authentication on the site.

What does this mean?

WordPress is the most popular content management system (CMS) on the Internet. It is used by businesses and individuals alike. As a result there are literally millions of WordPress installs out there. What is not known is how many are secure, how many have been taken over by hackers and how many are waiting to be attacked.

This latest attack is a significant game changer for a lot of the web design industry. The fact that it can happen within 30 minutes of the SSL certificate being applied for and before the site is complete is what makes it so dangerous. The steps that Maunder gives in his blog to protect against the attack are important. They are, hopefully, steps that any professional domain designer would already be taking. It is essential that webmasters combine them with the steps to protect WPSetup that Maunder highlights in his earlier blog.

Individuals setting up their own WordPress site are at a higher level of risk. Few will have the necessary skills to think security before they start. The question is, will hosting companies provide a safe area for those customers? It is unlikely but the industry itself has to start doing something to help its customers. At present, most hosting companies do some monitoring for compromised sites. However, those sites are being compromised before they are setup. It’s time for the hosting industry to up its game.


Please enter your comment!
Please enter your name here