Hackers have launched a massive attack against more than 900,000 WordPress sites seeking to redirect visitors to malvertising sites or plant a backdoor if an administrator is logged in.

Based on the payload, the attacks seem to be the work of a single threat actor, who used at least 24,000 IP‌ addresses over the past month to send malicious requests to more than 900,000 sites.

XSS, malvertising, backdoor

Compromise attempts increased after April 28. WordPress security company Defiant, makers of Wordfence security plugin, detected on May 3 over 20 million attacks against more than half a million websites.

Ram Gall,