Researchers have found an exploit within almost a dozen WordPress plugins that aim to hijack the user experience and send the visitor a site of the attacker’s choosing. Reinforcing the importance of security hygiene and tools such as a cutting-edge web application firewall, WordPress site managers need to analyze their site risk and patch ASAP.

The Rise of WordPress

WordPress is one tool of many that allows companies, brands and individuals to stake their flag in an online space. Offering a highly adaptive suite of site creation tools, WordPress currently powers over 40% of the websites on the internet. With two out of every five websites using WordPress as a backbone, its security is vital to get just right. And that’s largely an achievable goal – in regards to WordPress itself. A large part of the company’s appeal is that the core of WordPress is specifically designed to be lightweight and lean. This backbone helps reduce code bloat while maximizing flexibility. The adaptability and tailored nature of each site is not powered exclusively by WordPress, but by third-party plugins that offer custom functions, allowing each user to prune and tailor their site toward their own requirements.

These plugins are as varied as their user requirements. From freemium to premium, WordPress hosts a massive repository freely accessible through a site’s backend, installable with a single click. They can add functionalities as simple as new fonts, or highly complex inventory and courseware management capacities. These incredibly varied plugins are a major component to WordPress’ incredibly extensive content management system capabilities. Currently, there are over 60,000 plugins available via WordPress’ official directory.

Despite the sheer number, it’s important to note that not all of these plugins are continuously updated or usable. It’s here that the rapid-fire installation process may represent a danger to the user themself, with few security checks occurring before a plugin is installed. This danger has already been a major concern on platforms that offer similar services as WordPress. The Magecart hacking groups refer to a modus operandi that relies on skimming personal data and credit card details from online eCommerce stores. They rose in notoriety by breaching household names such as British Airways, having cumulatively stolen the data of millions of customers. The name is ripped from the original target of these groups, the Magento platform that offer checkout and shopping cart modules for retail sites, but the attack proved so effective it’s since shifted throughout other sites such as WooCommerce. Today, the attack is facilitated primarily by spyware-infested plugins.

New Backdoors in WordPress Sites

The sheer popularity of WordPress makes it an incredibly appealing target for attackers. According to a recent report by antivirus organization Dr Web, a brand-new Linux-based malware is actively spreading through 30 vulnerabilities throughout a number of outdated plugins. This malware injects malicious JavaScript with the end goal of achieving remote code execution on the victim’s device.

The malware targets both 32-bit Linux systems and the 64-bit counterpart, hacking its associated WordPress site via a successive list of exploits until one of them works. Thankfully, the report detailed precisely which plugins have been found to include this vulnerability. If any of the following are included in your WordPress site, take immediate action:

  • WP GDPR Compliance
  • Easysmtp
  • Yellow Pencil Visual Theme Customizer
  • Newspaper Theme
  • Google Code Inserter
  • Thim Core
  • Total Donations Plugin
  • WP Quick Booking
  • Post Custom Templates Lite
  • Blog Designer
  • Ultimate FAQ
  • WP Live Chat
  • ND Shortcodes For Visual Composer
  • Coming Soon Page
  • Maintenance Mode
  • Hybrid
  • Facebook Live Chat (by Zotabox)
  • WP-Matomo Integration

If a site runs any of these vulnerable plugin versions, the malware automatically reaches oit to its associated command control server, in order to fetch its associated malicious JavaScript. This JavaScript is then injected into the vulnerable site. Infected pages are used to redirect visitors to a location chosen by the attacker. Though this makes the attack particularly potent on abandoned sites, the damage committed on active brands and their image can be substantial.

For instance, these redirecting pages can now become parts of broader attacks such as phishing and malware distribution. Their role within broader campaigns makes researchers speculate that the operators of this exploit may be selling their illicit product to other profiteering cybercriminals.

Protecting Against Vulnerability Exploitation

It’s clear that all vulnerable plugin instances need to be purged from their associated sites. However, plugins are not always actively maintained, and can sometimes genuinely offer the best functionality – vulnerabilities aside.

The next-gen Web Application Firewall (WAF) helps protect your site and its visitors, while foiling any opportunistic attempt by an attacker. Sitting at the intersection between an application and its connections with the outside world, the WAF monitors, filters and blocks incoming and outgoing requests between an application and the broader public internet. WAFs can sit on the cloud, a network, or be host-based, and all typically sit in front of an application or website. The traditional WAF blocks malicious connections based on a set of predetermined policies set by your security team. This doesn’t suit an ever-changing digital world, leading to the development of a multi-pronged approach to the WAF. Firstly, attack signature recognition allows for renowned malicious connections to be terminated before an attacker can pull off a payload. Secondly, the next gen part describes artificial intelligence algorithms that aim to proactively and accurately perform behavioral analyses on traffic patterns. This allows for the detection of brand new attacks that don’t necessarily match oldschool patterns.

By updating traditional security measures to match today’s ever-evolving attack surface, it’s possible to keep your site and its visitors safe from the constant malvertising and phishing campaigns – and their prolonged evasion.