Top 50 Most Attacked WordPress Plugins This Week
Last week we shared the top 20 most attacked WordPress themes and an explanation of why many of them are targeted. This week we’ve dug deep into the data and we are publishing the top 50 most attacked WordPress plugins during the past 7 days.
The data we’re sharing today is based on the following high level metrics:
- During the past week Wordfence blocked 20,644,496 unique attacks across all the sites we protect.
- We saw attacks from 73,629 unique IP addresses during the period.
- 20,622,975 attacks came from IPv4 addresses and 15,160 of those attacks were IPv6 addresses.
- Of the approximately 1.5 million active websites that we protect, 581,689 of those sites received attacks during the past week.
The following is a list of plugins that received the most attacks during the past week – counted as the most recent 7 days starting on Tuesday evening August 16th and looking back 7 days. Once again we are showing the plugin ‘slug’ which is the unique directory name that the plugin uses when it installs into WordPress.
This week we are ordering things slightly differently. We have the plugins ordered by number of unique sites that received attacks, labeled as “Sites attacked”. We feel this is a more useful order because it shows how widespread an attack is on a particular plugin, rather than just raw volume of attacks.
“Total Attacks” indicates the total number of attacks that we logged on that plugin. “IPs” is the total number of unique IP addresses that an attack targeting the plugin originated from.
“Type” is the type of attack – in most cases it’s a “Local File Inclusion” attack which allows an attacker to download any file they want to on the target system. The vast majority of files that are targeted are either the wp-config.php file which contains the database username, password and server name or /etc/passwd which contains the host operating system usernames.
Where we’ve labeled the Type as “Shell” it indicates an attack that allows an attacker to upload a shell to the target site which gives them full remote access. These are the most serious vulnerabilities and attacks.
All attacks are on vulnerabilities that are already publicly known. If you run any of these WordPress plugins, make sure that:
- You are using the newest version of the plugin.
- That version does not have any known vulnerabilities.
- You are running Wordfence with the Firewall enabled because we protect against all vulnerabilities shown.
The list of the top 50 most attacked plugins during the past week follows:
Plugin | Sites attacked | Total attacks | IPs | Type |
recent-backups | 182,525 | 351,014 | 3,467 | LFI |
wp-symposium | 149,860 | 242,715 | 3,460 | Shell |
google-mp3-audio-player | 138,282 | 307,743 | 2,032 | LFI |
db-backup | 129,519 | 287,043 | 2,189 | LFI |
wptf-image-gallery | 107,000 | 131,938 | 2,846 | LFI |
wp-ecommerce-shop-styling | 103,471 | 131,011 | 2,887 | LFI |
candidate-application-form | 103,017 | 127,359 | 2,820 | LFI |
wp-miniaudioplayer | 91,546 | 196,557 | 1,381 | LFI |
ebook-download | 88,461 | 189,640 | 1,408 | LFI |
ajax-store-locator-wordpress_0 | 86,051 | 119,192 | 1,396 | LFI |
hb-audio-gallery-lite | 82,041 | 105,618 | 1,505 | LFI |
simple-ads-manager | 70,683 | 166,131 | 6,476 | Shell |
revslider | 53,549 | 145,626 | 407 | Shell |
inboundio-marketing | 53,063 | 112,696 | 874 | Shell |
wpshop | 51,609 | 111,546 | 830 | Shell |
dzs-zoomsounds | 51,089 | 225,032 | 731 | Shell |
reflex-gallery | 49,853 | 111,624 | 699 | Shell |
wp-mobile-detector | 38,764 | 115,235 | 800 | Shell |
formcraft | 25,192 | 52,604 | 668 | Shell |
sexy-contact-form | 19,076 | 50,649 | 316 | Shell |
filedownload | 12,584 | 19,400 | 353 | LFI |
plugin-newsletter | 11,982 | 23,887 | 451 | LFI |
simple-download-button-shortcode | 11,558 | 21,502 | 427 | LFI |
pica-photo-gallery | 11,059 | 16,587 | 262 | LFI |
tinymce-thumbnail-gallery | 10,972 | 16,429 | 263 | LFI |
dukapress | 10,814 | 16,235 | 333 | LFI |
wp-filemanager | 10,756 | 16,634 | 331 | LFI |
history-collection | 10,427 | 24,371 | 607 | LFI |
s3bubble-amazon-s3-html-5-video-with-adverts | 10,312 | 24,011 | 595 | LFI |
simple-image-manipulator | 7,268 | 8,272 | 448 | LFI |
ibs-mappro | 5,555 | 18,738 | 448 | LFI |
image-export | 5,442 | 6,047 | 266 | LFI |
abtest | 5,431 | 5,885 | 297 | LFI |
wp-swimteam | 5,119 | 5,433 | 238 | LFI |
contus-video-gallery | 4,921 | 17,866 | 345 | LFI |
sell-downloads | 4,393 | 4,746 | 240 | LFI |
brandfolder | 4,268 | 4,619 | 230 | LFI |
thecartpress | 4,164 | 4,534 | 274 | LFI |
advanced-uploader | 4,066 | 4,351 | 203 | LFI |
aviary-image-editor-add-on-for-gravity-forms | 3,548 | 5,749 | 247 | Shell |
wp-post-frontend | 1,811 | 16,690 | 294 | Shell |
[redacted]* | 1,716 | 2,133 | 65 | Shell |
mdc-youtube-downloader | 1,039 | 5,517 | 199 | LFI |
document_manager | 915 | 4,450 | 148 | LFI |
paypal-currency-converter-basic-for-woocommerce | 797 | 1,133 | 129 | LFI |
justified-image-grid | 788 | 17,852 | 35 | LFI |
cherry-plugin | 539 | 3,919 | 31 | Shell |
aspose-cloud-ebook-generator | 531 | 720 | 25 | LFI |
gwolle-gb | 331 | 406 | 46 | LFI |
*The redacted plugin in the list was removed before publication. It is an undocumented older shell upload vulnerability which is being targeted. The vulnerability does not exist in the current version of the plugin. Because it’s undocumented it is technically a zero day vulnerability, even though the vulnerability has been fixed in newer versions of the plugin, so we decided to remove the plugin name.
Notes
The large number of local file inclusion vulnerabilities that are being exploited is surprising. I should also note that many of these LFI’s were discovered by Larry Cashdollar who I had the pleasure of seeing speak at Defcon in Las Vegas 2 weeks ago. So I suspect that many of these are being used in an attack script of some kind which may explain their prevalence in the attacks we’re seeing.
The clustering of LFI’s together and Shell exploits together in the list order is odd, but I don’t have a theory to explain that and there is no error in the data that accounts for that. It appears to be coincidence.
The vulnerability in the Recent Backups plugin at the top of the list was disclosed in August 2015 and the plugin has now been removed from the repository, probably because it was not being maintained. The large number of exploits targeting this plugin are puzzling because as far as I can tell from archive.org, the plugin only had a few thousand installs. It may be because it is quite easy to “google dork” to find sites that are vulnerable and the abundance of target sites may make this an attractive target.
As a final note, I’d like to add that this data is simply an indication of the volume of attacks that we are seeing on plugins in the wild across the large attack surface that is WordPress websites who are protected by Wordfence. It does not give any indication of whether a plugin in this list is more or less secure than others. It does not include data on how successful attacks on the plugins shown may or may not be. It is purely an indication of attack activity in the wild on WordPress plugins during the past week.
Your comments are welcomed as always.
Comments
9:15 am
Can we have the list of IPs doing this? (to block)
9:17 am
We don't currently provide that. We may in future as a premium feature. I'd like to hear from the rest of the community if there's any interest in this.
10:31 am
This would such a good idea. Should role this one out for sure.
10:33 am
Always.
1:02 pm
YES! PLEASE!
7:26 am
Yes please and no premium as would be pointless.
8:16 am
We would have to stop using the plugin if it started mining our site traffic. Does it mine data currently?
6:44 am
No, we only get reports of attacks.
11:55 am
Over the past few days there have been in excess of 500 attacks on one of my websites. The interesting thing is that all have used the login name "test" and the attacks come from around the world. All have been locked out thanks to Wordfence.
1:41 pm
I have been seeing a lot of attempted logins with the username "test" as well. This has been happening on multiple sites.
5:01 pm
Same here Chris. One site got smashed over a 3 day period.
Firstly I blocked the other countries from having access to the Log In page.
They then started attacking from Australia.
I then ended up changing the settings in WordFence to block unauthorised usernames. The attempts seemed to stop a few hours after that.
Thanks for your good work Wordfence Team.
2:48 am
I usually gets hit by at least 57 attackers a day, it used to be a few hundred of different IP a day with more than 10,000 attempted attacks. What bothers me is Microsoft and bing is also trying to login to my server.
I just set my server into paranoid mode, if you are hammering my server, you get a ban hammer automatically.
7:37 pm
I occasionally get the "test" userid as well...just set Wordfence to permanently lock out that user, along with "admin".
12:17 pm
It seems pointless to try to block a list of IPs. The bot networks that are involved are using hundreds if not thousands of hijacked systems all with different IPs. If you block one IP they just switch to another one. There was a period of time I was getting hit by 10 to 20 different IPs per hour. When I blocked them there would be a new set that hit me the next hour. These were password dictionary attacks but I don't see any reason that attacks that target vulnerabilities would be any different.
7:27 am
10-20/hour is little
9:17 am
This explains why I saw suspicious activity a couple of days, where an unidentified IP address was looking for the sexy-contact-form plugin. I'd never heard of that plugin before then, and certainly don't use it.
9:20 am
Interesting Lindsey, thanks. I'd love to hear more about what users are seeing on the ground and how it relates to this data.
9:19 am
Yes, I would certainly be interested in having a list of IP's. It would help massively.
9:20 am
Thanks James. Can you share how you'd use it? Presumably to block bad guys, but where would you block? Firewall? Or iptables rules in Linux? Or somewhere else?
Thanks.
9:27 am
Thanks for the reply Mark.
I would use it to block them on iptable in Linux. I also believe I have the option to blacklist the IP addresses on the server.
James
7:29 am
I'm also using BitNinja to block across multiple servers and to help the community as there is a central DB used by several servers.
9:23 am
Funny to see Revolution slider up there, that plugin has caused me more hacking problems than every other plugin put together! I'm surprised so many themes still come bundled with it
9:28 am
Yes, a list of IPs would be excellent. Allowing us to add to the block list. thx
Having paid option with a Yes/No for auto update of flagged IPs.
9:38 am
Glad to see that I've never used a single plugin on this list.
9:49 am
I'm on a dedicated server and would have LiquidWeb block the respective ip's.
9:49 am
I had extreme activity on one of my client website- brute force attack in last 2 days, more than 500 attemps from different IPs. Most of these countries I had blocked before the attacks. So, I wonder how is possible to even give a try to access wp-login when country blocking is applied. Thank you for sharing value information.
2:18 pm
Stan,
What are you using to block countries?
7:24 am
Hi Mark,
I am using the country blocking feature of Wordfence.
10:02 am
Strange to see Gwolle GB on this list. The version mentioned is way old, it is not even on the changelog list anymore. Actual version is 2.01. Please look at the provided website: https://wordpress.org/plugins/gwolle-gb/changelog/
I hope that this is not the case with all of the 50 plug-ins. To me it looks like a very old test, not of the last week!
On the other hand I wonder how the list would look is taken last week indeed... ;(
10:24 am
The list is a query that looks back 7 days starting from yesterday evening at around 6pm pacific time. We have linked every exploit to a PoC mostly on exploit-db. You'll notice if you dig a little deeper that many of the exploits are 2016. This data is as real-time as it gets for large queries like this. There is nothing comparable from any other security provider because they don't have this capability.
I'd also add that we have not filtered this list for security scanners, so you may find that those are inflating the statistics for fairly old vulnerabilities. We are bringing this filtering capability online soon so watch this space.
In addition we've seen exploit toolkits (see our theme stats from last week) that get posted and are run by a large number of "script kiddies" or unsophisticated attackers that simply run an old toolkit to see if they get lucky. So many of these attacks may originate from that set.
Remember, these are attacks that were blocked. They are not successful attacks.
~Mark.
10:08 am
I would like to suggest that you team up with Stop Forum Spam, a long-standing community-driven spam blocking service where IP addresses of known attackers are freely shared. They helped me a bunch with my previous site (different CMS) but because their list is built and verified by a community of all of us and thus are a good fit with open source thinking. You would even be able to use their APIs to improve your own blocking capability, maybe even add blocking stuff on their list as a premium feature. They are at stopforumspam.com and I can't help but wonder if there isn't a similar possible partnership with Akismet too.
10:12 am
Hi wordfence and team, wordfence users,
It does come at no surprise to me. I am using wordfence, just as you do. What I have noticed, as well as said over and over : WP is as strong as its plugins. Now I always have advocated the minimizing of plugins use.
And it does not come as a surprise : I have none of those mentioned installed : Not a single one.
Whilst having wordfence installed doing a great job I advise all to get the premium version - I also have a little trick built in - My admin.php as well as wp-login.php is not accessible.
This makes it a little easier to fend off shady characters on the web.
Another thing after analyzing where most attacks used to come from :
40 % Ukrainian
30 % Turkish
30 % Chinese IPS
U can block those IPS permanently if you want. All you need is to configure htaccess.
After all, these guys have nothing good in common, so why not bar them from visiting your site.
Again a praise to wordfence for doing a great job,
AFRICASIAEURO/YOUTUBE
11:40 am
Hai Heinz! Thank you for your advice of blocking naughty countries! But, what do you mean by: 'All you need is to configure htaccess'? As am I am just a beginner in making a website, I don't know all these phrases, sorry.
Best wishes, Magda from sunny Amsterdam
10:31 pm
htaccess is Apache .htaccess file, a configuration in a sense.
More about this is at http://www.htaccess-guide.com/
10:46 am
Thank you for continued great services.
11:29 am
we were attacked over 800 times last. i blocked all networks & IP's
Most common was " admin " or " test " ... FAIL : I was watching it live and was blocking live
" They " went from The Eastern Bloc to Asia , To South America, server hopping ...FAIL ...lol..
Great Work Keeping Us Safe
12:15 pm
Would it be possible to allow IP blocking from within a user's Wordfence account rather than having to block on individual sites? I've got 20 licences and banning IPs across individual sites takes a fair amount of time
4:10 pm
Yes, I agree with that. We host both internal and external business websites on our server and it would be good to be able to sync all blocked IP's across all those protected in our account.
Or even a cloud based centralised management system? We use Bitdefender's enterprise grade AV suite for your network PC's/servers and the ability to log in and push through policy changes or tasks to multiple sites, is a massive boost for productivity.
The ability to standardise policies etc would be huge, especially if developing a new website.
1:26 pm
I haven't ever had a plugin on your list, until today. Do you make an effort to contact the plugin author? I have built up a really nice relationship with this author and he is very active so I want hime to know, and to make it safe since I use it on several client sites. What do you suggest?
3:30 pm
Blocking IPs manually in the .HTACCESS file or adding them manually in other ways is going to be a long and tiresome task. Been there done that to realise this myself.
Having Wordfence do this Automatically when an IP breaks a rule - such as Immediately lock out invalid usernames, or if pages not found (404s) exceed 3 - is a much more efficient and stress free way to block IPs. I now sleep at night ;)
But tight rules come at a risk. Mistype your username, or if your site has a couple of 404s will lock you out and the "unlock" process can be unreliable at times from a User Prospective (Forgotten admin email address or mail not sent from hosting server) There are ways around this that require a bit more detail for this thread. Visit the Docs site: https://docs.wordfence.com/
Back to Topic - Wordfence has a setting, If 404s for known vulnerable URLs exceed: X
Will this setting help block IPs that are attempting to hack the listed plugins?
7:35 am
Something like that would be very useful, https://www.statuscake.com/API/Locations/txt (this is just an example, do NOT block those IPs).
3:43 pm
I'm using .htaccess too. And don't forget to set file permission to 0444
0440 is the recommendation but permalink doesn't like it.
With the wp-config.php file permission should be set to 0440
Thank you Wordfence team for a wonderful plugin.
:) Pk
8:48 pm
OMG! I was using DB-Manager for my blog, but now removed.
Thanks for the reporting by the way. :)
9:13 pm
Hi Anil,
If you're referring to WP Database Backup: https://wordpress.org/plugins/wp-database-backup/changelog/
The plugin author is very actively maintaining the plugin and has fixed multiple vulnerabilities. His most recent release is just two weeks ago.
As I mentioned in the final paragraph of our post: "It does not give any indication of whether a plugin in this list is more or less secure than others."
Check each of your plugins individually and if a plugin is actively maintained and the changelog says the vulnerability has been fixed, then it's probably quite secure.
Mark.
12:58 am
Hi, isn't this like a pop chart. Next week the hackers will have moved on. It seems not to include some major core plugins that recently had faults identified. It would be interesting to see how many of these plugins are on the trusted Wordpress plugins directory and what testing is undertaken for plugin vulnerabilities before and after inclusion. I fear that until a lite core version of Wordpress is created, it will be inherently damaged. Thats before any plugin vulnerabilities are included. We have moved many sites back to basic html. The risk is that Wordpress receives so much brand damage that it disintegrates. #WPbloat
6:48 am
Hi David,
I just want to reemphasize that these are actual attacks. It's raw data. This this is not our opinion - and so yes it's interesting that a few high profile recent vulnerabilities/exploits are not included - perhaps it indicates the vast majority of attackers out there are relatively unsophisticated.
Mark.
2:12 am
Just like Chris and a few other I also noticed a lot of login attempts with login name 'test'. Non existing login names will be automatically blocked for while, so I do not really bother about this.
About the enormous IP- list of attackers. Apart from the fact whether or not it's useful and/or cumbersome. When it's imported in Wordfence or .htaccess, wouldn't that impact the websites response time?
2:15 am
That's interesting. I have not used any of these listed plugins and I do keep updating the plugins frequently. Good to know about these themes and I do Wordfence for providing better information about the hacks and to secure websites
4:58 am
Hi,
I'm the author of the wp-miniaudioplayer plugin (one of the plugin you included in your list).
I would let you know that the vulnerability test you made refers to the 1.6 and 1.7 version while now the plugin is at version 1.8.2 and the vulnerability issue has been solved almost one year ago. You should not publish such news only to promote your software without being more accurate and verifying what you are writing...
-1 for you guys.
Matteo
6:46 am
Matteo,
We put our community first and these are real attacks that are happening on the ground during the past week. Sorry you wrote a vulnerability. Good to hear you fixed it. We've written a few of our own in the past and it's never a happy event, but responding quickly and posting here is the kind of thing that lets your own customers know that you are actively maintaining your plugin and are security conscious.
Mark.
6:36 am
It there any reason why Wordfence's use of resources would be exponentially increased recently? My web host shut my site down because of Wordfence's crazy resource use.
6:44 am
No there isn't Sandy. Please post in our support forums for a more detailed answer if you'd like one.
6:49 pm
Hi all,
What I cannot understand is even before I totally lost interest in my site, I had no memberships or any products of any kind for sale! So what I cannot understand is that there was NO METHOD for me to make money from the site that could use any payment methods of any kind, no data of any kind way ever collected! Yet I had times where the site was almost bombed into next years with attacks, I copy the IP'S to my .htaccess file daily as I felt your software was keeping them out lol. BUT WAS IS IN IT FOR THEM??? to be really honest with you my site is just off being a waste of internet space!
9:04 am
what version of db-backup? The report says 2014.
I was using it on a ton of sites and have since removed. I contacted the author on WP support forums.
It is such a useful, time saving tool & I would really like to use it again or at least help the author get it sorted if it is not already.
8:28 pm
This would be awesome as a something that I could keep track of and host on my website. Sort of like the stock market of attacked WP plugins.
2:31 am
Beware of this IP: 14.201.67.60
Just a sample of what is happening
14.201.67.60 /wp-content/plugins/wp-homepage-slideshow/functions.php 2016-12-20 22:08:19 blacklisted
36459
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/wp-homepage-slideshow/functions.php 2016-12-20 22:08:19 blacklisted
36460
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/another-wordpress-classifieds-plugin/AWPCP.po 2016-12-20 22:08:22 blacklisted
36461
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/another-wordpress-classifieds-plugin/AWPCP.po 2016-12-20 22:08:22 blacklisted
36462
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/wpstorecart/lgpl.txt 2016-12-20 22:08:23 blacklisted
36463
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/wpstorecart/lgpl.txt 2016-12-20 22:08:23 blacklisted
36464
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/custom-content-type-manager/index.html 2016-12-20 22:08:23 blacklisted
36465
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/custom-content-type-manager/index.html 2016-12-20 22:08:23 blacklisted
36466
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/auto-attachments/a-a.css 2016-12-20 22:08:24 blacklisted
36467
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/auto-attachments/a-a.css 2016-12-20 22:08:24 blacklisted
36468
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/woocommerce/dummy_data.xml 2016-12-20 22:08:24 blacklisted
36469
Temp Block | Blacklist IP | Delete
404 14.201.67.60 /wp-content/plugins/woocommerce/dummy_data.xml 2016-12-20 22:08:24 blackliste
and lots more!
Be safe
Paul