Cybercrime Crew Leaves Its Own Server Wide Open, Exposing 1.4 Million Website Target List
A misconfigured server ran unprotected for three weeks, handing researchers a rare look inside a mass WordPress hacking operation now tracked as WP-SHELLSTORM.

Key points
- A cybercrime group left its own command server open on the public internet for three weeks, exposing tools, logs and target lists.
- The exposed files named more than 1.4 million websites the group was probing, most of them running WordPress.
- Researchers are now tracking the operation as WP-SHELLSTORM, after finding backdoors planted on thousands of sites.
- Far fewer than 1.4 million sites were actually broken into, but the leak revealed how the group works day to day.
- Site owners running WordPress are being urged to check for unfamiliar admin accounts and hidden files on their servers.
A gang that spends its days breaking into other people's websites forgot to lock its own front door.
For about three weeks, one of the group's servers sat exposed on the open internet with no password. Anyone who found the address could read the files inside. Security researchers did, and what they saw was the full backstage of a mass website hacking operation.
The files included the group's hacking tools, day-by-day activity logs, and a target list naming more than 1.4 million websites. Most of the targets were sites built on WordPress, the free publishing software that runs a large share of the world's blogs and small business pages.
The operation is now being tracked as WP-SHELLSTORM. The name points to what the attackers plant once they get in: a web shell, meaning a small hidden program that lets them come back and control the site later.
How did the hackers get in?
They went hunting for WordPress sites with weak or outdated pieces, and forced their way in from there. WordPress itself is not the flaw. The trouble is usually the extra plug-ins and themes, small add-on programs written by third parties, that site owners install and then forget to update.
Once inside, the group creates a hidden administrator account and drops a backdoor file on the server. From that point they can post spam, redirect visitors to scam pages, or rent access out to other criminals.
The leaked logs, first reported by The Hacker News, showed the group working through its target list in an industrial way, testing thousands of sites an hour and noting which ones took the bait.
A target list of 1.4 million sites does not mean 1.4 million sites were broken into. The list is closer to a phone book of places the group planned to try. The successful break-ins ran into the thousands, still a serious number, but a small fraction of the list.
What should ordinary site owners do?
If you run a WordPress site, or pay someone to run one for you, this is a good week to check three things.
First, log in and look at the list of administrator accounts. If there is a name you do not recognise, remove it and change every password.
Second, update WordPress itself and every plug-in and theme to the latest version. Old, abandoned plug-ins should be deleted, not just deactivated.
Third, ask your hosting provider whether they can scan the site's files for known backdoors. Many hosts will do this for free.
Ordinary visitors to a hacked site are not usually in direct danger, but they may be pushed toward fake shopping pages or malware downloads. If a familiar site suddenly redirects you somewhere strange, close the tab.
The leak is a reminder that criminal operations are, in the end, just software projects run by people who make mistakes too. This time the mistake was theirs. Next time it will probably be someone else's, and the target list will be longer.



