New Malware Campaign Targeting 11 WordPress Plugins

Reading Time: 3 minutes

If you were to take a poll of everyone who has their own personal website for ‘self’ ventures – whether that’s a blog, a forum for ideology, or anything else ‘self’-oriented in a similar way – you’d find that the majority of those sites were built on WordPress. Despite the fact that it’s as old as one can imagine in the world of web publications resources, it’s still as present as ever in the online world.

This makes it so that it’s worthy of mention anytime an external force threatens the well being of websites built on WordPress. This isn’t the first time the software suite has been the target of hackers, and it very likely won’t be the last.

Here at 4GoodHosting, we think part of being a leading Canadian web hosting provider is keeping our valued customers up to date on developments that may influential to their online well being. Considering we can go ahead and assume that a good many of the sites hosted through us are WordPress sites, we’ll dedicate today’s blog to making those of you aware of this new risk.

The Skinny

These new serious vulnerabilities in at least 11 plugins for WordPress started to be seen last month, and it appears they are currently being used in an ongoing malware campaign. This was reported on in the circles where it needed to be, but what’s new with all of this is that that the hackers appear to have changed their tactics over the course of the last two weeks.

The first instance of this featured malicious code being injected into sites to prompt them to show pop-up advertisements, or – worse – redirect the visitor to rogue websites.

Then about 3 weeks ago, on the 20th of last month, the hackers changed their code and it is now also able to determine if a visitor has the rights to create user accounts on the site. Should someone with admin rights log in, the malicious code then is able to created a new admin account that won’t be noticed the principal authorized user.

To catch this, be on the lookout for email addresses reading as wpservices@yandex.com, along with the password w0rdpr3ss.

What the hackers do in this instance is use this admin account as a back door to enter at a later date when – ideally – suspicion of anything being amiss is at its lowest.

The Eleven Plug-Ins Affected

At this point the hackers focus is on old vulnerabilities with 11 plugins. First to be identified as at-risk and insecure several weeks ago were Yuzo Related Posts and WP Live Chat Support. They’ve been joined by 9 others that have since then also been identified as potentially at risk:

  • Bold Page Builder
  • Blog Designer
  • Live Chat with Facebook Messenger
  • Visual CSS Style Editor
  • Form Lightbox
  • Hybrid Composer
  • All former NicDark plugins (including nd-booking, nd-travel and nd-learning)

Update and Security Precaution Information

It needs mentioning as well that the plugin developers have since released patches that repair the vulnerabilities. That’s great, but the problem of course is going to be that there are users who do not use that plug-in’s latest version. A lot of them too.

Updating plugins to the most recent version is recommended, but even still admins should check the user accounts on their website. If unknown admin accounts are found, deleting them immediately is important. It is subsequently also important to verify the files to ensure that there are no ‘back doors’ where the malware can gain re-entry if it needs too. If you are unsure, restoring a backup is your best bet.

For Non-technical users who uncover unauthorized access to their website, it may make sense to hire a security consultant who can assist with the disinfecting of your WordPress website if it’s an expense you can assume. It’s likely not as expensive as you think, and it should provide you with greater peace of mind.

4Bloggers: Top-Rated WordPress Free Plug-ins

Reading Time: 2 minutes

Wordpress Various Colorful ShapesNeed some starter help sorting through over 40,000 WordPress plugins?

That’s a lot of functionality, and most of it is free. You could spend hours just learning about the basics. This article is here to help save you time.

Here are some popular ones that we thought you should consider.

1. Google Analytics

Google Analytics (sometimes annotated “GA”) is a valuable tool for measuring and optimizing the performance of your website. In particular the Google Analytics plugin (by Yoast) makes it quite simple to install GA on into your WordPress installation. This plugins delivers all of the benefits of GA. It is being utilized on more than 1,000,000 sites.

2. WordPress SEO

WordPress is a great content management platform for search engine optimization. The Yoast SEO plugin for SEO builds upon WordPress’s SEO features.

SEO optimization methods are always changing adapting to Google’s ranking algorithm updates, but what will ease the pain is this plugin. It is updated regularly every couple of months to stay updated with current SEO best practices.

3. Intuitive Custom Post Order

Intuitive Custom Post Order is a plugin to help you easily re-order the way WordPress displays your posts. This should really be a feature built-in to WordPress. Otherwise without a re-ordering plugin, you will not be able to easily re-arrange the ordering of your blog posts as you see fit.