The Wordfence team reports at least 130 million attacks were detected between May 29 to May 31, 2020. The attacks were intended to harvest a website’s database credentials by downloading the configuration files.
Most of the attacks were targeted at the vulnerabilities in outdated plugins and/or themes that allow files to be downloaded or exported.
To confirm whether your website has been compromised, check your server logs and look for any entries containing wp-config.php in the query string that returned a 200 response code.
Here are the top 10 attacking IP addresses in this campaign:
Sites running the Wordfence plugin should be safe from these attacks. If you believe your website has been compromised, change your database password, and authentication unique keys and salts immediately.
For more information please check the official public release.
Beyond that, it is strongly recommended to update your themes and plugins to their latest versions and ensure that your host is using the latest stable version of PHP.
If you have questions, don’t hesitate to contact our support team.