Millions of WordPress websites are under threat after a critical security breach involving several popular plugins. Security researchers discovered malicious code injected into these plugins, granting hackers the ability to create unauthorized administrator accounts. This compromise can lead to severe consequences for website owners, including data breaches and total website takeovers.
The specific number of affected plugins and websites is still under investigation. However, initial reports suggest prominent plugins with thousands of active installations might be involved, raising serious concerns about the overall security of the WordPress ecosystem and the vulnerability of websites built on the platform.
Website owners using the compromised plugins are at significant risk. Hackers with administrator access can deface websites, steal sensitive data like customer information, or even install malware that can harm visitors’ computers.
How Hackers Gained Control
The recent WordPress plugin compromise involved a sophisticated attack strategy. Experts believe hackers exploited vulnerabilities in the software supply chain, the network of development tools, and resources used to create plugins.
Hackers might have found weaknesses during the development process of the compromised plugins, such as vulnerabilities in the code itself or security lapses within the development environment. By exploiting these weaknesses, they could have injected malicious code that remained undetected during initial reviews.
Another scenario could involve hackers compromising a third-party library used by multiple plugins. These libraries consist of pre-written code snippets that developers incorporate into their plugins to add specific functionalities. If a hacker infiltrated a widely used library, they might have administered malware that would be embedded in all plugins using that library. It creates a wider attack surface, potentially affecting a large number of plugins and websites simultaneously.
The specific method used by the malicious code to create unauthorized accounts might vary depending on the plugin. However, the general idea is that the code exploited a vulnerability to bypass security measures — manipulating data stored in the website’s database or tricking the WordPress core software into accepting a new account without proper authentication.
Website Takeover: Potential Consequences of the WordPress Plugin Breach
One of the immediate consequences of a compromised website is defacement. Hackers with administrator access can alter the website’s content and appearance. They can display offensive or misleading information, disrupting the user experience and causing significant reputational damage to the website owner.
Additionally, the potential for data theft is a major concern. Hackers can exploit their access to steal sensitive information stored on the website, including customer data like names, email addresses, and even credit card information. Also, login credentials for administrators or other users might be targeted, giving hackers ongoing access to the website.
Cybercriminals can leverage compromised websites to distribute malware further. They might install malicious scripts that infect visitors’ computers with malware or redirect them to phishing websites designed to steal personal information. It can not only harm the website’s reputation but also endanger the security of its visitors.
While less severe than data theft, another potential consequence is SEO spam. Hackers might inject spammy content into the website in an attempt to manipulate search engine rankings, making the website appear irrelevant to its intended audience and negatively impacting its organic search visibility.
Not to mention that the financial impact of a website compromise can be significant. Website owners might face costs associated with website recovery, data breach notification, and potential legal repercussions. Additionally, the damage to brand reputation can be difficult to quantify but can have a lasting negative impact on a business.
Affected Plugins & Resources
The specific plugins compromised in this attack have been identified as:
- Social Warfare (versions 4.4.6.4 – 4.4.7.1)
- Blaze Widget (versions 2.2.5 – 2.5.2)
- Wrapper Link Element (versions 1.0.2 – 1.0.3)
- Contact Form 7 Multi-Step Addon (versions 1.0.4 – 1.0.5)
- Simply Show Hooks (version 1.2.1)
“This plugin has been closed as of June 24, 2024 and is not available for download. This closure is temporary, pending a full review,” states WordPress if you visit the respective pages for these plugins.
Indication of Compromise
The attacker is sending data to the IP address 94.156.79.8. The administrative user accounts currently identified are named Options and PluginAuth.
Sudden changes in website content or layout, unexpected pop-ups or ads, and slow loading times can all be signs of a compromised website, requiring immediate action. Deactivate and remove the compromised plugin as soon as possible.
Regularly check the list of user accounts within your WordPress dashboard. Look for any accounts you don’t recognize, especially those with administrator privileges. Consider using a security scanner specifically designed for WordPress websites to detect malware and other vulnerabilities that might indicate a compromise.
Visit the official WordPress plugin directory to check for updated versions or security patches released by the plugin developers in response to this attack.
Proactive Measures for Securing Your Website
The most critical defense against such type of attack is keeping all your WordPress plugins and themes updated with the latest versions. Plugin developers often release updates to fix security vulnerabilities. By installing these updates quickly, you significantly lower the chances of your website getting hacked through known weaknesses.
Consider enabling the automatic update feature in your WordPress dashboard to ensure that you have the latest security patches without manual intervention. Periodically review the update log to keep up with any potential issues that may arise.
Strong, unique passwords for each of your WordPress accounts can significantly enhance security, too. Avoid using easily guessable passwords or the same password for multiple accounts — use a password manager to generate and store strong, unique passwords for each website.
Enable 2FA for your WordPress administrator accounts to add an extra layer of security by requiring a second verification code, typically sent to your phone, in addition to your username and password during login attempts. Multi-factor authentication makes it harder for hackers to gain unauthorized access, even if they obtain your password.
Additionally, use security plugins specifically designed for WordPress. These plugins offer various functionalities like malware scanning, intrusion detection, and website hardening measures. While not a replacement for the core security practices mentioned above, security plugins can provide an additional layer of protection for your website.
If you need additional help scanning for vulnerabilities automatically, check out our picks for the best vulnerability scanners for businesses.
