Experts from security firm Wordfence say they have observed a wave of web attacks that took aim at unfinished WordPress installations.
These are sites where a user had uploaded the WordPress CMS, started but never finished the installation process.
These sites remained open to external connections, and anyone could have accessed their install panel and complete the installation on behalf of the user.
According to Wordfence, this is exactly what happened. For almost a month, starting with the end of May and through mid-June, an attacker had mass-scanned the Internet for WordPress installations that still featured their installation file.
Mark Maunder, Wordfence founder and CEO, says his company observed one threat actor connecting to these unfinished WordPress sites, entering his own database credentials, and completing the installation process.
The attacker would then connect to the site using his newly created admin account, and use the theme or plugin file editor to insert malicious code and execute it, effectively taking over the victim's server. In another twist of this attack, the intruder also installed a custom plugin that executed the same malicious code.
Maunder named these attacks as "WPSetup Attack," and is advising users to make sure they finish a WordPress installation process right after they upload their CMS files on their server, as a new wave of these scans could trigger at any moment.
In a report released a day later after the WPSetup Attack alert, Wordfence also said that during the month of June, attacks on WordPress sites have gone up compared to the previous month.
Below are some of the main points from Wordfence's June 2017 WordPress Attack Report: