Skip to main content

So, it turns out that having a fresh installation of WordPress is almost as bad as having an outdated one…

Throughout May and June, the team from security firm WordFence observed a flurry of activity originating from some of the darkest-known corners of the internet.

The activity involved searching for the presence of a file used when setting up WordPress for the first time. Specifically:


This file would be found where a user uploaded the WordPress files, but did not follow through with the installation process. If the installation had been completed, the file would have been automatically removed.

The presence of this file would allow someone to complete the installation and effectively take control of the WordPress installation. Worse though, once they have control of WordPress, they could then upload malicious code that would allow them to take control of the server itself.

Mark Maunder, Wordfence founder and CEO, named these attacks the “WPSetup Attack,” and advises users to ensure they finish a WordPress installation immediately after uploading the CMS files on their server.

How the WPSetup Attack Works

If you’ve ever installed WordPress before, you’d probably recognise the following steps.

The first step is to select your language:

Then you see an introductory message:

And finally, you let WordPress know your database name, username, password and which server it lives on.

If an attacker finds your fresh install, they can easily click through the first two steps and then enter their own database server information in this final step. Their database can be on their own server, and it doesn’t have to contain any data – it can simply be an empty database. They just need to get a working WordPress installation running on your site that they have admin access to.

Once this step is complete, WordPress confirms that it can communicate with the database – in this case, the attacker’s database:

Once the attacker clicks “Run the install,” they are prompted to enter information to create the first admin-level account.

They enter their own account information, click the Install button and receive a confirmation that WordPress has been installed and the admin account has been created.

Once an attacker has admin access to a WordPress website running on your hosting account, they can execute any PHP code they want in your hosting account.

Read the full story at

Leave a Reply