5 WordPress Plugins: Creating WordPress Backdoor

WordPress Plugins: Five Vulnerable Plugins Creating WordPress Backdoor

On Monday, June 24th, 2024, the Wordfence Threat Intelligence team uncovered a significant security breach affecting multiple WordPress.org plugins. This discovery came to light after a forum post by the WordPress.org Plugin Review team on June 22, 2024, indicated that the popular plugin Social Warfare had been injected with malicious code. Subsequent investigations revealed four additional plugins with similar malicious modifications. This supply chain attack highlights the increasing sophistication of cyber threats targeting widely used content management systems like WordPress.

Details of the Attack

The compromised plugins identified so far include:

1. Social Warfare (Versions 4.4.6.4 – 4.4.7.1)
   • Patched Version: 4.4.7.3
   • Installations: 30,000+
2. Blaze Widget (Versions 2.2.5 – 2.5.2)
   • Patched Version: None
   • Installations: 10+
3. Wrapper Link Element (Versions 1.0.2 – 1.0.3)
   • Patched Version: None (Latest version tagged as 1.0.0)
   • Installations: 1,000+
4. Contact Form 7 Multi-Step Addon (Versions 1.0.4 – 1.0.5)
   • Patched Version: None
   • Installations: 700+
5. Simply Show Hooks (Version 1.2.1)
   • Patched Version: None
   • Installations: 4,000+

Nature of the Malicious Code

The injected malware in these plugins attempts to create new administrative user accounts and exfiltrates these credentials to an attacker-controlled server. Additionally, the malware inserts malicious JavaScript into the website’s footer, which generates SEO spam across the site. The malicious code, while harmful, is not particularly sophisticated or heavily obfuscated and includes comments that make it easier to trace.

Timeline of the Attack

• Earliest Injection: June 21st, 2024
• Active Updates by Threat Actor: As recently as 5 hours before detection on June 24th, 2024

The precise method through which the attacker compromised these plugins remains unknown at this time. However, the incident underscores the critical importance of maintaining rigorous security practices and monitoring within the WordPress ecosystem.

Response and Mitigation

The Wordfence Threat Intelligence team is currently performing in-depth analysis and is developing malware signatures to detect these compromised plugins. Users running affected versions of the plugins will receive alerts from the Wordfence Vulnerability Scanner. Immediate action is required, including updating to patched versions where available or removing the affected plugins entirely.

Indicators of Compromise

• Malicious Server IP Address: 94.156.79.8
• Generated Admin Usernames: Options, PluginAuth

If you have any of these plugins installed, it is crucial to assume your site is compromised. Immediate steps include:

1. Check and Remove Unauthorized Admin Accounts: Delete any suspicious administrative user accounts.
2. Run a Complete Malware Scan: Use the Wordfence plugin or Wordfence CLI to scan for and remove malicious code.
3. Update or Remove Compromised Plugins: Ensure your plugins are updated to the latest versions or removed entirely if no patched version is available.

How to Clean a Hacked WordPress Site Using Wordfence

Preliminary Steps

1. Backup Your Site: Immediately back up both your site files and database. This ensures you have a copy before any cleaning, protecting against potential data loss. Use FTP, your hosting provider’s backup system, or a backup plugin to download a copy of your entire website.
2. Identify the Hack: Confirm your site is hacked by looking for symptoms such as unsolicited SEO spam in the headers or footers, unrecognized content, or user reports of redirections. Wordfence can also detect many of these issues and provide alerts.

Cleaning the Site

1. Remove Infected Plugins: Delete the entire directory of compromised plugins. This can be done via FTP or directly from the WordPress admin interface.
2. Use SSH for File Examination:
   • Find Recently Modified Files
   • Search for Malicious Code Using Grep
3. Run Wordfence Scan:
   • Install and activate Wordfence.
   • Perform a full scan using the “Scan” menu.
   • Resolve all detected issues.
   • Perform a high-sensitivity scan for thorough cleaning.

Detailed Cleaning Steps

1. Upgrade WordPress and Plugins: Ensure all themes and plugins are updated to their latest versions. Developers frequently release updates to patch vulnerabilities and improve security.
2. Change All Passwords: Update administrative passwords to prevent further unauthorized access. This includes all user accounts, particularly those with administrative privileges.
3. Perform Detailed Scans:
   • Basic Scan: Initially, perform a basic scan to identify obvious infections.
   • High Sensitivity Scan: Enable high sensitivity in Wordfence for a more thorough scan, which can identify more subtle or deeply embedded malware.
4. Inspect and Clean Files:
   • Examine any suspicious files flagged by Wordfence.
   • Manually review or delete files if necessary. Remember to delete entire directories for plugins rather than individual files to avoid leaving your site inoperable.
5. Final Verification:
   • Run another scan to confirm the site is clean.
   • If further assistance is needed, consider signing up for Wordfence Care for regular business hours support, or Wordfence Response for 24-hour emergency support.

Post-Cleaning Steps

1. Backup the Clean Site: After cleaning, make a backup of your now clean site. This will be useful for future recovery if needed.
2. Implement Security Best Practices:
   • Regularly update all components of your WordPress installation.
   • Use strong, unique passwords for all accounts.
   • Install security plugins and configure them properly.
   • Regularly monitor your site for unusual activity.

Conclusion

This supply chain attack on WordPress.org plugins is a stark reminder of the ever-present risks in digital security. Website administrators must remain vigilant, ensuring their sites are updated, regularly scanned for vulnerabilities, and promptly cleaned of any infections. Wordfence provides essential tools and support for managing these security challenges, helping to safeguard the integrity and functionality of WordPress websites.

By following the detailed steps outlined above and staying alert to further developments, WordPress site administrators can effectively mitigate the risks posed by such malicious activities and ensure the ongoing security of their digital assets. Stay proactive and secure in managing your website’s health and safety.