According to experts at the WordPress security plugin WordFence, attackers are using automated scans to target freshly installed WordPress websites, taking advantage of administrators who fail to properly configure their server’s settings. The experts dubbed the attack WPSetup attack.
Hackers launched thousands of scans each day, searching for the URL /wp-admin/setup-config.php, that new WordPress installs use to setup new sites.
The attackers aim to find new WordPress installs that are not yet configured by the administrators.
In the period between the end of May and mid-June, WordFence researchers observed a spike in the number of attacks targeting WordPress accounts from the end of May to mid-June.
“In May and June, we saw our worst-of-the-worst IPs start using a new kind of attack targeting fresh WordPress installations.” states WordFence.
“We also had our first site cleaning customer that was hit by this attack.
Attackers scan for the following URL:
This is the setup URL that new installations of WordPress use. If the attacker finds that URL and it contains a setup page, it indicates that someone has recently installed WordPress on their server but has not yet configured it. At this point, it is very easy for an attacker to take over not just the new WordPress website, but the entire hosting account and all other websites on that hosting account.”
In just one day, on May 30, the experts observed roughly 7,500 scans a day, a peak in the malicious activity.
The WPSetup attack leverages on the fact that a user hasn’t finished setting up its WordPress installation, the attacker can exploit this condition to complete the user’s installation.
The attackers operate with admin access, this means that they can enter their own database name, username, password, and database server. The attackers can take over the website running their own installation or creating a supplementary account.
How the WPSetup Attack Gets Full Control of Your Hosting Account?
Once the attacker gains admin access to a WordPress website running on your hosting account, they can execute PHP code via a theme or plugin editor.
The attackers can install a shell in a victim’s directory to access any files or websites on the account or access any databases or application data.
“Once an attacker can execute code on your site, they can perform a variety of malicious actions. One of the most common actions they will take is to install a malicious shell in a directory in your hosting account. At that point they can access all files and websites on that account. They can also access any databases that any WordPress installation has access to, and may be able to access other application data.” continues the analysis.
WordFence explained that the WPSetup attack is not new, but this is the first time for such kind of attack on a large-scale.
WordFence recommends users to create a specially coded .htaccess file in the base of their web directory to avoid attackers access it before the installation is completed.
“Before you install a fresh WordPress installation, create a .htaccess file in the base of your web directory containing the following:
order deny,allow deny from all allow from <your ip>"
Replace the ‘<your ip>’ with your own IP address. You can find this out by visiting a site like whatsmyip.org.
This rule ensures that only you can access your website while you are installing WordPress. This will prevent anyone else from racing in, completing your installation and taking control of your hosting account by uploading malicious code.
Once complete, you can remove the .htaccess rule and allow the rest of the world to access your website.”
(Security Affairs – WPSetup attack, WordPress)