Millions of WordPress sites targeted by File Manager zero-day
A dramatic surge in attacks saw one million sites targeted on 4 September alone


More than 1.7 million sites designed on the WordPress platform have been attacked due to a zero-day vulnerability in the File Manager plugin, with hundreds of thousands more sites likely to be under threat.
Attacks against a flaw in the File Manager plugin surged dramatically towards the end of last week, according to researchers with the Wordfence security plugin, with attacks against one million sites on 4 September alone.
Hackers have been exploiting the flaw in the wild by executing commands to upload malicious files onto target WordPress sites. Analysis by Wordfence’s threat intelligence team showed it was also possible to bypass the in-built file upload protection mechanism.
Although a patch has been released, labelled as version 6.9 of the plugin, as of last Friday there were still 261,800 sites running a vulnerable form of File Manager. Sites not using the plugin are still being probed by bots seeking to exploit vulnerable versions of the app.
Of the three million WordPress sites that Wordfence protects, 1.7 million have been probed for the vulnerability, meaning the true extent of the exploitation is unknown and likely much higher than reported figures.
File Manager is designed to help administrators manage files on their sites, and offers an additional library known as elFinder which is an open-source file manager designed to provide a simple user interface.
The issue centres on the File Manager plugin renaming the extension on the elFinder library 'connector.minimal.php.dist' file to '.php', meaning it can be executed directly - even though the connector file isn’t used by File Manager itself. The file had no direct access restrictions, meaning it could be accessed by anyone.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The attacks that Wordfence researchers have seen in the wild involved hackers using the upload command to upload PHP files containing webshells hidden in an image.
Beyond applying the patch, Wordpress users are being offered an extra layer of protection thanks to an additional firewall rule that prevents all access to ‘connector.minimal.php’.
Wordfence has also recommended that users not actively using the plugin should uninstall it completely to avoid any risk.

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
New chapter, same partners: Keeping the channel aligned with change
Industry Insights How to maintain strong channel partnerships amid evolving strategies and market change
-
Palo Alto Networks snaps up CyberArk in identity security push
News The acquisition marks the latest in a string for Palo Alto Networks
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?
News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to know
News Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-days
News The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
News Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious risk
News Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to know
News Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted data
News Using only a $10 test rig, researchers were able to pull off the badRAM attack