A new wave of attacks hitting incomplete installations of WordPress could allow online crooks to run illicit PHP code on your WordPress site.

Wordfence, a firm of security specialists, have revealed that the attacks target new instances of WordPress that have been installed but not yet configured. In a report by SecurityWeek, it was disclosed that the attacks peaked during May and June 2017 and are still ongoing. If the attack is successful, the attacker can gain complete access to both the website and possibly the whole hosting account.

WordPress Vulnerabilities

Unfinished WordPress installations are depressingly widespread across the web, with many users failing to grasp the risks. It’s common practice for a user to install the WordPress platform by copying the WP archive into one of their hosting account directories. Many hosting providers also provide a one-click installer tool that automatically sets up a basic WordPress installation. What many users fail to understand, however, is that until the configuration process is complete, their website is wide open to criminal interference.

How the Attack Works 

To identify potential targets, attackers scan the web to find instances of the WordPress setup URL. This tells them that a user has uploaded the CMS, but has not yet configured their installation. Unauthorized individuals can easily log in from outside and commandeer the installation. By entering their own database-server information in place of the legitimate site owner’s, attackers can set up an admin account and sign into WordPress, even if the installation is on the victim’s private server.

WordPress and PHP Risks 

Once an attacker has admin access to a WordPress installation, the way is clear for them to use that site to execute any PHP code they choose. According to Wordfence, it’s possible for bad actors to set up a malicious shell that gives them complete access to all the files and websites attached to that account, including any databases.

Mitigating the Threat 

Preventing this kind of attack is as simple as completing configuration during the installation process. WordPress site owners should also audit all of their sites to ensure that there are no incomplete installations or PHP vulnerabilities for hackers to exploit. One option for busy site owners is to opt for reliable managed WordPress hosting. This type of hosting provides ongoing technical security support.

As well as completing your WordPress installation, it’s also very important that any themes or plugins used are kept up to date. These may also contain vulnerabilities.