In a massive attack on WordPress sites hackers tried to download configuration files by attacking old vulnerabilities in unpatched plugins to steal database credentials.
To take over databases, old exploits were used to download or export wp-config.php files from unpatched websites, extract database credentials, and finally use the usernames and passwords.
Gall also pointed out Wordfence blocked more than 130 million exploitation attempts on its network alone, which targeted more than 1.3 million WordPress sites, however, the attacks are believed to have targeted even many more other sites, not covered by the company’s network.
The attacks were carried out from a network of 20,000 different IP addresses. In May these IPs were used in another large-scale campaign to target WordPress sites, using a batch of XSS -cross-site scripting vulnerabilities and attempted to insert new admin users and backdoors on targeted sites.
Although, different vulnerabilities were targeted same hacker is believed to be behind both attacks.