AWS Attacks Targeting WordPress Increase 5X

The Wordfence Threat Intelligence team has been tracking a huge increase in malicious login attempts against WordPress sites in our network. Since November 17, 2021, the number of attacks targeting login pages has doubled.

WordFence have seen a global increase in attacks against WordPress sites during the past week, and more than a quarter of all of the malicious login attempts we’re tracking are now originating from Amazon Web Services (AWS) EC2 instances.

While AWS makes it easy for businesses to move to the cloud, attackers are also utilizing the  scale provided by cloud services, including AWS, in increasing numbers.

Many site owners still reuse the same password in multiple locations, and data breaches, such as the recent GoDaddy breach, are frequently a source of compromised passwords. These compromised passwords are used by attackers to attempt to login to even more sites and services. Using this technique, attackers may guess your login correctly on the first try.

We also recommend that everyone use 2-factor authentication wherever possible, as it is an incredibly effective way of protecting your site even if an attacker has your password. The free version of Wordfence includes 2-factor authentication as a feature.

Full article at

GoDaddy hacked

A major breach of GoDaddy was disclosed on November 22nd affecting some 1.2 accounts, as well as “Managed hosting” accounts that are affiliated with GoDaddy through Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe.

Apparently the hackers had access for over two months before the breach was discovered.

One of the biggest flaws exposed in this breach is that GoDaddy was storing your passwords as unencrypted plain text. That means the hackers didn’t even have to go through the trouble of decrypting to gain access to your account, FTP/SFTP, database, etc. GoDaddy is auto-resetting database and some other passwords, as well as SSL certificate keys which were potentially breached.

What Should I Do If I’m Affected?

If you use GoDaddy to host your WordPress site, here are a few (strong) recommendations to protect your website and your hosting account:

1. Reset your WordPress admin password.

2. Implement two-factor authentication for WordPress admin accounts.

3. Review your website’s security logs to see if there are unexpected logins to admin accounts.

4. Force a password change for all users at Contributor or higher level.

5. Log in to GoDaddy and change an FTP or SFTP or other passwords associated with your account or sites.

See details in the iThemes link below for details on all the above.

To be honest, we at ProtectYourWP and SustainableSources have never particularly liked GoDaddy, and though we reluctantly concede that they’ve gotten better in recent years we still suggest that you find a better hosting solution! So when they use the tagline in their advertising “It’s Go Time!”, we feel it’s more appropriate to say “It’s Go AWAY Time!”

Be on Guard for an Increase in Phishing Emails

There’s a good probability that various hackers/scammers will use the breached data to extend their attacks to other services by sending out phishing email.


WooCommerce Extension – Reflected XSS Vulnerability

A vulnerability was discovered in “Preview E-mails for WooCommerce”, a WordPress plugin that is an extension for WooCommerce, installed on over 20,000 sites. This flaw made it possible for an attacker to inject malicious JavaScript into a page that would execute if the attacker successfully tricked a site’s administrator into performing an action like clicking on a link.

Preview E-mails for WooCommerce is a simple plugin designed to give site owners the ability to preview the emails that are sent to customers via WooCommerce. Unfortunately, the plugin had a flaw that made it possible for attackers to inject malicious web scripts into the `digthis-woocommerce-preview-emails` page.

Details from WordFence:

Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin

The Starter Templates plugin allows site owners to import prebuilt templates and blocks for various page builders, including Elementor.

Starter Templates plugin, which is installed on over 1 Million WordPress websites was found to have a vulnerability which could allow for malicious javascript to be inserted and then used to overwrite any post or page by sending an AJAX request.

(The full name of the WordPress plugin is “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates”)

Versions 2.7.0 and older of this plugin contain a vulnerability that allows Contributor-level users to completely overwrite any page on the site with malicious JavaScript.

Full details at:

‘Tis the Season for the Wayward Package Phish

The holiday shopping season always means big business for phishers, who tend to find increased success this time of year with a lure about a wayward package that needs redelivery. Here’s a look at a fairly elaborate SMS-based phishing scam that spoofs FedEx in a bid to extract personal and financial information from unwary recipients.

Louis Morton, a security professional based in Fort Worth, Texas, forwarded an SMS phishing or “smishing” message sent to his wife’s mobile device that indicated a package couldn’t be delivered.

“It is a nearly perfect attack vector at this time of year,” Morton said. “A link was included, implying that the recipient could reschedule delivery.”

Attempting to visit the domain in the phishing link — o001cfedeex[.]com — from a desktop web browser redirects the visitor to a harmless page with ads for car insurance quotes. But by loading it in a mobile device (or by mimicking one using developer tools), we can see the intended landing page pictured in the screenshot in the article below — returns-fedex[.]com.

Vulnerability in WP DSGVO Tools (GDPR) Plugin

A vulnerability was found by the WordFence team in WP DSGVO Tools (GDPR), a WordPress plugin with over 30,000 installations. They were investigating the plugin to verify that their customers were fully protected from an actively exploited XSS issue, and found a flaw that allowed unauthenticated attackers to completely and permanently delete arbitrary posts and pages on a website.

The WP DSGVO Tools (GDPR) plugin contains functionality to let users request their personal information to be removed from a site. It also contained an AJAX action, admin-dismiss-unsubscribe, to allow administrators to “dismiss” these removal requests. The requests were stored in the WordPress posts table, so “dismissing” a data removal request simply involved deleting the associated post ID.

Unfortunately, the AJAX action was available to unauthenticated users, and the plugin did not check to see if the post to be deleted was actually a data removal request. As such, it was possible for any site visitor to delete any post or page on the site by sending an AJAX request with the admin-dismiss-unsubscribe action along with the ID of the post to be deleted. Sending the AJAX request once would move the post to the trash, while repeating the request would permanently delete it.

While it is true that site defacements have become less popular in recent years as they are more difficult to monetize, it would be trivial for an attacker to delete most of a site’s content in a way that would be impossible to recover unless the site’s database had been backed up.

We strongly recommend updating to the latest version of the plugin available immediately, which is 3.1.26 as of this writing, as it contains fixes for both the post deletion vulnerability and the XSS issue.