Attackers are misusing the Certificate Transparency (CT) protocol to breach new WordPress sites during the generally brief period before the CMS is installed and safeguarded. CT is a web security standard for monitoring and evaluating TLS (aka SSL) certificates, which are used to confirm the identity of websites and are provided by certificate authorities (CAs).
The DigiCert CA was the first to adopt the standard in 2013, which requires CAs to instantly report all freshly issued certificates on public logs with the aim of openness and the quick detection of rogue or abused certificates. However, evidence is mounting that dangerous hackers are watching these logs to locate new WordPress domains and set up the CMS themselves after web administrators have uploaded the WordPress files but have yet to lock the site with a password.
Several testimonials have surfaced of sites being hacked within minutes, even seconds, of requesting TLS certificates. The emergence of a malicious file (/wp-includes/.query.php) and sites being forced to participate in DDoS attacks have been reported by domain owners. A Certbot developer stated the attacks had “been happening for a few years now” on a related thread on the Let’s Encrypt support forum, a CA that gives free certificates and introduced its own CT log in 2019.
The engineer’s hypothesis about the attackers’ spying tactics is supported by Josh Aas, executive director of the Internet Security Research Group, which operates Let’s Encrypt. “If the attacker is polling CT logs directly they would see new certificate entries faster, giving them a larger time window in which to pull off the attack,” Aas said. Scanning crt.sh, a certificate search domain, “might also work, but it takes longer for new certificates to propagate from CT.”
The attacks aren’t being blamed on the CT system, which, as per Let’s Encrypt, has “led to numerous improvements to the CA ecosystem and web security” and “is rapidly becoming critical infrastructure.” All publicly trusted CAs, according to Aas, are obligated to send certificates to CT logs “without delay after they are issued.” He indicated that domain owners and hosting providers are ultimately responsible for securing new WordPress sites.
“Getting a certificate from Let’s Encrypt may make it easier to detect a new installation, but nobody should be putting WordPress installations on the public internet until they are secured. If a hosting provider or any other entity is doing that, please report it as a vulnerability in their deployment process.”
According to Josepha Haden, executive director of Automattic’s WordPress project, the cyberattacks “only affects direct installations – if a site is on any recommended host, or the installation process is automated, there is usually a pre-configured config file so the installation process is complete/is not interactive and there’s little chance for that attack.”
White Fir Design, a Colorado-based web design business, said that WordPress may solve the problem by providing the domain owner “control of the website” from the start, “say, by adding a [template] file.” Christopher Cook, creator of Let’s Encrypt Windows UI Certify the Web, suggested on the Let’s Encrypt forum that WordPress “could randomise the install URL and present it only to you in the console, or require a one-time token.”
