Cover Image  ValicyberWordpress1

WordPress is one of the most popular content management systems in the world due to the ability it gives non-technical, inexperienced users to create professional, effective websites. According to data from W3Techs, WordPress was used by 43% of all websites on the Internet in 2022.

This widespread usage, combined with persistent security vulnerabilities, has put a target on WordPress’s back. Malicious hackers have come to view attacks exploiting WordPress vulnerabilities as an easy and effective way to gain access to valuable credentials and infect systems with harmful software. 

Securing WordPress sites against damaging attacks is a challenge, as new vulnerabilities are constantly being discovered, and even sites that are considered secure are frequently breached with emerging attacks. In this article, we introduce a minimum impact solution that leverages predictive analysis detection and automated remediation, and demonstrate its effectiveness in securing WordPress sites against attacks exploiting both new and known flaws.

WordPress: A Popular Target Among Malicious Hackers

WordPress has become a favorite target among cyber thieves as its prevalence on the Internet continues to increase. WordPress provides cybercriminals with an efficient way to launch malicious campaigns such as brute force attacks, cross-site scripting (XSS) attacks, DDoS attacks and malware campaigns that target a maximum number of websites at once. Moreover, insecure default WordPress settings, frequent misconfigurations and the use of predictable login credentials and outdated CMS versions, themes and plugins frequently grant adversaries easy entry. 

A successful attack exploiting one compromised WordPress install in a shared environment can impact tens of thousands of other websites who may not have been compromised and result in severe, widespread consequences for both the website owner and the website owner’s customers. The potential repercussions of such an attack include the compromise of sensitive data, the installation of malicious software such as ransomware and cryptominers on target systems, use of the bandwidth of the WordPress server to host malicious activities, and lasting reputational harm. Vali Cyber VP of Product and Technical Marketing Drew Vanover explains, “Shared cloud computing offers many benefits to customers such as not needing to maintain hardware or patch operating systems. However, this shared model also shares the increased risks inherent to a successful attack.” He elaborates, “It is not just the hosting provider's customers that are impacted, but the hosting provider itself has to deal with the repercussions, remediation, brand exposure, and customer reactions in the wake of a successful attack. Because it is a shared environment, the odds are in the malicious actor's favor; it only takes one vulnerable installation to let them in.”

As with any software, WordPress has vulnerabilities that hackers can easily exploit, but this doesn’t mean that the WordPress sites are unsafe to use. Vali Cyber ZeroLockTM, can add a strong layer of protection for WordPress sites to defend against these malicious attacks that threaten an organization’s sensitive data, critical systems and hard-earned reputation. 

Predictive Analysis Detection & Automated Remediation of Attacks Exploiting WordPress Vulnerabilities 

Vali Cyber ZeroLockTM is a solution we love for its ability to provide one of the strongest protection options for securing WordPress sites, as well as other Linux-based systems. ZeroLock provides comprehensive security for any Linux system, whether it’s on-premise or cloud, as well as IoT and edge devices, in an easy to install and manage package. This package includes fine-grained access rules, multi-factor authentication for SSH, ransomware and cryptojacking protection, automated remediations, and more. Given that the majority of WordPress sites run on Linux or containers, ZeroLock is essentially a purpose-built solution for securing WordPress sites. The solution also has a remarkably low overhead of <5% for businesses that, according to Forrester, are now spending $33 million on cloud annually. In comparison to other legacy security tools that can have 25-35% overhead, this can translate to millions of dollars saved per year in CPU cycles alone.

Vali Cyber CTO Austin Gadient adds, “With automated lockdown configuration and sophisticated access control capabilities combined with advanced behavioral threat detection technology, admins using ZeroLock can quickly and easily secure all of their Linux workloads against damaging attacks and detect and recover any threats that get through with minimal consumption of critical computing and human resources. Running entirely in user space, ZeroLock does not require any kernel modules and is compatible with all Linux systems kernel version 3.5 or greater, and across deployment environments."' 

Real-World Scenario: How ZeroLock Protects a Vulnerable WordPress Website

To demonstrate how ZeroLock combats an adversary’s attempt to infect a vulnerable WordPress site with malware, we step through a scenario involving a hacker with a simple goal: to launch a cryptominer on computing resources that are not their own, and reap the profits while someone else pays the bill. Web hosting providers using WordPress are an ideal target for exploits like this because finding vulnerabilities in WordPress websites is simple and many WordPress websites do not take the time to monitor their servers, allowing a cryptominer to go undetected for extended periods of time.

Phase 1: Malicious Plugin Upload

In the first phase of this attack, a malicious actor attempts to gain access to the target WordPress website through the wp- login.php console page. This particular user did not choose a strong password when setting up their website, and the attacker was able to gain access using a simple brute force attack.

01protecting Containers Picture

Figure 1: Attacker Brute Forces wp-login Password

With access to the target website, the attacker needs to upload a malicious plugin that gives them a webshell on the host system. They opt for the popular “Wordpress-webshell-plugin”, which allows the hacker to run arbitrary commands on the operating system running WordPress.

Securing Wordpress 2

Figure 2: WordPress Webshell Plugin Github

The attacker attempts to upload the plugin. Luckily, the server is protected by ZeroLock, and the malicious attempt is immediately detected.

Securing Wordpress 3

Figure 3: ZeroLock Alert for Malicious WordPress Plugin Upload Github

ZeroLock not only detects the attempt to upload a malicious WordPress plugin, it also deletes the files that were attempted to be uploaded, leaving the WordPress website clean and free of malicious PHP files.

Securing Wordpress 4

Figure 4: Files Removed by Malicious Plugin Upload Detection

Phase 2: Webshell Interaction

For this part of the demonstration, we disabled ZeroLock’s plugin protection to allow the attacker to continue their efforts. In this phase, the hacker successfully uploaded their malicious webshell plugin, and will now attempt to use this malicious plugin to start a webshell.

The attacker utilizes the WordPress-webshell- plugin’s tool to run commands. establishes a network connection to the WordPress-webshell-plugin. This terminal session allows the attacker to run arbitrary commands on the target system.

Thankfully ZeroLock detects webshells too! A new alert is opened in the ZeroLock console. The “INFO” column of the alert mentions MITRE technique T1059. 

Securing Wordpress 5

Figure 5: WordPress Plugin is Successfully Uploaded

Securing Wordpress 6

Figure 5: Webshell

In addition to webshells, ZeroLock contains detection capabilities for numerous techniques within the MITRE framework.

Securing Wordpress 7

Figure 6: MITRE T1059 Webshell Detection

ZeroLock provides detailed indicators of compromise that are extremely useful for threat hunting once an attack is detected. A process tree of all the programs involved in the attack is provided, which contains details about the parent-child relationships of processes involved in an attack. Additional detail about processes is available by clicking on them. As you can see in Figure 8 below, this attack leveraged Apache to launch the program Dash, and the dash process attempted to run the command “ls”.F

Protecting Containers Picture7

Figure 7: Webshell Process Tree

Phase 3: Malware Payloads 

To allow the attacker to proceed with their malicious efforts, we disable yet another of ZeroLock’s protections, allowing the attacker to use their webshell. Now that the attacker has shell access, they face another dilemma. They must launch their attack as the unprivileged www-data user.

8securing Wordpress 7

Figure 8: Attempt to Run ‘ls’ Command

Protecting Containers Picture10

Figure 9: Webshell whoami Command

In this case, the attacker is launching a cryptojacking attack. Thus, privileged access is not required, because cryptominers do not require admin permissions to burn through the CPU on the quest for cryptocurrency.

The attacker attempts to download and run the popular XMRig cryptominer. Yet again, their efforts are thwarted by ZeroLock. ZeroLock uses AI to detect cryptominers by inspecting the stream of instructions they execute, an advanced technique that uniquely allows ZeroLock to detect cryptomining regardless of the cryptocurrency or specific miner used. This tactic avoids the pitfalls of using IOCs and IOAs that are easy for an attacker to change. Instead, it targets behavior that all cryptomining malware exhibits, no matter its form. This makes ZeroLock’s detection capabilities future proof to new strains of malware and crypto mining algorithms that attackers continue to develop.

Protecting Containers Picture11

Figure 10: Attacker Downloads and Runs Cryptominer

Protecting Containers Picture12

Figure 11: ZeroLock’s Cryptomining Alert

Unable to use the system for crypto mining, the attacker launches a ransomware attack that would disable the website until a ransom is paid using the malware Defray777.

Protecting Containers Picture13

Figure 12: Attempt to Download and Execute Defray777 Ransomware

ZeroLock’s unique behavioral detection engine identifies the ransomware attack within milliseconds, and automatic remediation kicks in to clean and restore the system to its normal state.

Protecting Containers Picture12 1

Figure 13: Ransomware Alert

ZeroLock displays the list of any files affected by the ransomware. As a result of ZeroLock’s patent-pending rollback capabilities for Linux, any encrypted files are restored to their original version in less than a second, ransom notes are cleaned up, attempts to make ransomware persistent are rolled back, any network connections the attacker was leveraging to launch their payload are severed, and the website is restored to full operational status.

Protecting Containers Picture13 1

Figure 14: Files Restored by ZeroLock

LinuxSecurity expert and Founder Dave Wreski states, “As you can see this is a powerful tool for detecting and remediating attacks exploiting WordPress vulnerabilities, as well as any threat to a Linux environment. With its AI and behavioral detection capabilities that identify and remediate all threats virtually instantaneously, an adversary doesn’t stand a chance of evading this solution.”

Final Thoughts on Securing WordPress with ZeroLock

Security vulnerabilities are a serious issue for WordPress users, but with the right protection for WordPress websites, this doesn’t mean that WordPress is unsafe to use. With a comprehensive security solution like Vali Cyber ZeroLockTM in place that uses predictive analysis detection and automated remediation to identify and remediate vulnerabilities, organizations can reap the benefits that WordPress offers without sacrificing security. Wreski concludes, “I am thoroughly impressed with ZeroLock’s complete, minimum impact protection for WordPress websites. It’s the only threat management platform I’ve found that effectively uses predictive analysis detection to stop attacks exploiting WordPress vulnerabilities that evade traditional security solutions.”

Interested in learning more? Visit