Malicious Actors Targeting New WordPress Installations

Wordfence researchers reported observing a recent spike in compromises of newly created WordPress-powered websites. The malicious actors are scanning websites for the presence of /wp-admin/setup-config.php, a URL that denotes when new instances of WordPress have been installed on a server, but have yet to be configured. Once a new WordPress installation is located, the hackers complete the configuration of the site, entering their own database server information and providing themselves with administrative access. The hackers can then use this access to install a malicious shell in the directory of the victim’s hosting account and gain full control of that account, execute malicious code on the victim’s website, and upload custom malicious plugins. The NJCCIC recommends all administrators of WordPress-powered websites, as well as website hosting providers, review the Wordfence security report and implement the appropriate recommended solution to help protect websites and hosting accounts from the WPSetup attack.