Hackers have launched a massive attack against more than 900,000 WordPress sites. Hackers used at least 24,000 IP addresses over the past month to send malicious requests. The attacks seem to be the work of a single threat actor, says Defiant. The attackers focused on exploiting cross-site scripting (XSS) vulnerabilities in plugins that received a fix months or years ago and had been targeted in other attacks. Administrators of WordPress sites should update their plugins and remove those that are no longer in the WordPress repository.
Source: https://www.bleepingcomputer.com/news/security/massive-campaign-targets-900-000-wordpress-sites-in-a-week/