Wordfence experts have discovered a new type of web-attack, in which attackers use incomplete WordPress installations. That is, attacks are based on sites where users have already downloaded the WordPress content management system (CMS), the notes have not been installed to the end. Such resources are open to external connections, and anyone can access the installation panel and complete the installation of the CMS.

According to Wordfence, from the end of May to the middle of June this year, the number of Internet scans for the presence of WordPress installations with the installation file. The researchers found at least one hacker who got access to the site where CMS was not installed until the end. Unknown uploaded the password and login of its own database and completed the installation process.

Thus, he ensured himself the ability to manage the site through a newly created administrator account and through the file editor to introduce and execute malicious code to gain control over a foreign server. The attacker also installed his own plug-in to execute malicious code.

Simultaneously with the increase in the number of scans in June 2017, the number of attacks on sites running WordPress increased. Most of the attacks were carried out from IP-addresses in Russia, Ukraine and the United States.