New Malware Campaign Targeting 11 WordPress Plugins

If you were to take a poll of everyone who has their own personal website for ‘self’ ventures – whether that’s a blog, a forum for ideology, or anything else ‘self’-oriented in a similar way – you’d find that the majority of those sites were built on WordPress. Despite the fact that it’s as old as one can imagine in the world of web publications resources, it’s still as present as ever in the online world.

This makes it so that it’s worthy of mention anytime an external force threatens the well being of websites built on WordPress. This isn’t the first time the software suite has been the target of hackers, and it very likely won’t be the last.

Here at 4GoodHosting, we think part of being a leading Canadian web hosting provider is keeping our valued customers up to date on developments that may influential to their online well being. Considering we can go ahead and assume that a good many of the sites hosted through us are WordPress sites, we’ll dedicate today’s blog to making those of you aware of this new risk.

The Skinny

These new serious vulnerabilities in at least 11 plugins for WordPress started to be seen last month, and it appears they are currently being used in an ongoing malware campaign. This was reported on in the circles where it needed to be, but what’s new with all of this is that that the hackers appear to have changed their tactics over the course of the last two weeks.

The first instance of this featured malicious code being injected into sites to prompt them to show pop-up advertisements, or – worse – redirect the visitor to rogue websites.

Then about 3 weeks ago, on the 20th of last month, the hackers changed their code and it is now also able to determine if a visitor has the rights to create user accounts on the site. Should someone with admin rights log in, the malicious code then is able to created a new admin account that won’t be noticed the principal authorized user.

To catch this, be on the lookout for email addresses reading as wpservices@yandex.com, along with the password w0rdpr3ss.

What the hackers do in this instance is use this admin account as a back door to enter at a later date when – ideally – suspicion of anything being amiss is at its lowest.

The Eleven Plug-Ins Affected

At this point the hackers focus is on old vulnerabilities with 11 plugins. First to be identified as at-risk and insecure several weeks ago were Yuzo Related Posts and WP Live Chat Support. They’ve been joined by 9 others that have since then also been identified as potentially at risk:

  • Bold Page Builder
  • Blog Designer
  • Live Chat with Facebook Messenger
  • Visual CSS Style Editor
  • Form Lightbox
  • Hybrid Composer
  • All former NicDark plugins (including nd-booking, nd-travel and nd-learning)

Update and Security Precaution Information

It needs mentioning as well that the plugin developers have since released patches that repair the vulnerabilities. That’s great, but the problem of course is going to be that there are users who do not use that plug-in’s latest version. A lot of them too.

Updating plugins to the most recent version is recommended, but even still admins should check the user accounts on their website. If unknown admin accounts are found, deleting them immediately is important. It is subsequently also important to verify the files to ensure that there are no ‘back doors’ where the malware can gain re-entry if it needs too. If you are unsure, restoring a backup is your best bet.

For Non-technical users who uncover unauthorized access to their website, it may make sense to hire a security consultant who can assist with the disinfecting of your WordPress website if it’s an expense you can assume. It’s likely not as expensive as you think, and it should provide you with greater peace of mind.

Post Navigation