WordPress Plugins: Five Vulnerable Plugins Creating WordPress Backdoor
On Monday, June 24th, 2024, the Wordfence Threat Intelligence team uncovered a significant security breach affecting multiple plugins hosted on WordPress.org, leading to the creation of a WordPress backdoor. This critical discovery emerged shortly after a forum post by the WordPress.org Plugin Review team on June 22, 2024, disclosed that the popular plugin, Social Warfare, had been compromised with malicious code that created a WordPress backdoor. A thorough investigation revealed that four other plugins had also been modified to create similar WordPress backdoors. This supply chain attack underscores the escalating sophistication of cyber threats targeting widely used content management systems like WordPress, with a clear focus on establishing WordPress backdoors for unauthorized access.
Details of the Attack
The compromised plugins identified so far include:
- Social Warfare (Versions 4.4.6.4 – 4.4.7.1)
- Patched Version: 4.4.7.3
- Installations: 30,000+
- Blaze Widget (Versions 2.2.5 – 2.5.2)
- Patched Version: None
- Installations: 10+
- Wrapper Link Element (Versions 1.0.2 – 1.0.3)
- Patched Version: None (Latest version tagged as 1.0.0)
- Installations: 1,000+
- Contact Form 7 Multi-Step Addon (Versions 1.0.4 – 1.0.5)
- Patched Version: None
- Installations: 700+
- Simply Show Hooks (Version 1.2.1)
- Patched Version: None
- Installations: 4,000+
Nature of the Malicious Code
The malware injected into these plugins attempts to create a WordPress backdoor by generating new administrative user accounts and exfiltrating these credentials to a server controlled by the attackers. Additionally, the malware inserts malicious JavaScript into the website’s footer, which creates SEO spam across the site and further exploits the WordPress backdoor. Despite its harmful nature, the malicious code is not particularly sophisticated or heavily obfuscated and contains comments that make it easier to trace the creation of the WordPress backdoor. This could suggest that the attackers were more focused on widespread distribution rather than stealth.
Timeline of the Attack
- Earliest Injection: June 21st, 2024
- Active Updates by Threat Actor: As recently as 5 hours before detection on June 24th, 2024
The precise method through which the attacker compromised these plugins remains unknown at this time. However, the incident underscores the critical importance of maintaining rigorous security practices and monitoring within the WordPress ecosystem, especially in the face of a potential WordPress backdoor.
Response and Mitigation
The Wordfence Threat Intelligence team is conducting a detailed analysis and developing malware signatures to detect these compromised plugins and the WordPress backdoor they create. Users running affected versions of the plugins will receive alerts from the Wordfence Vulnerability Scanner. Immediate action is required, including updating to patched versions where available or completely removing the affected plugins to close the WordPress backdoor.
Indicators of Compromise
- Malicious Server IP Address: 94.156.79.8
- Generated Admin Usernames: Options, PluginAuth
If you have any of these plugins installed, it is crucial to assume your site is compromised and that a WordPress backdoor has been established. Immediate steps to take include:
- Check and Remove Unauthorized Admin Accounts: Delete any suspicious administrative user accounts to close the WordPress backdoor.
- Run a Complete Malware Scan: Use the Wordfence plugin or Wordfence CLI to scan for and remove malicious code, particularly targeting the WordPress backdoor.
- Update or Remove Compromised Plugins: Ensure your plugins are updated to the latest versions or removed entirely if no patched version is available to prevent further exploitation of the WordPress backdoor.
How to Clean a Hacked WordPress Site Using Wordfence
Preliminary Steps
- Backup Your Site:
- Immediate Action: Before initiating the cleaning process, back up your entire website, including both site files and the database. This step is essential as it provides a fallback in case any data is lost or further issues arise during the cleaning process.
- Methods for Backup:
- FTP (File Transfer Protocol): Use an FTP client like FileZilla to download all the files from your server to your local machine.
- Hosting Provider’s Backup System: Many hosting providers offer automated backup services. Access your hosting control panel and download a recent backup or create a new one if available.
- Backup Plugin: Utilize a reliable WordPress backup plugin like UpdraftPlus or All-in-One WP Migration. These plugins can create a full backup of your website, including your database and files.
- Identify the Hack:
- Visible Signs: Examine your site for common indicators of a hack. This might include:
- Unsolicited SEO Spam: Look for strange or unrelated content in headers, footers, or within the site’s code.
- Unrecognized Content: Check for any posts, pages, or media files that you did not create or upload.
- User Reports: If users report being redirected to other websites or experiencing unusual behavior, this is a clear sign of a breach.
- Use Wordfence for Detection: Install Wordfence if it’s not already in use. This security plugin can detect many of these issues automatically, providing alerts and reports on the problems found.
- Visible Signs: Examine your site for common indicators of a hack. This might include:
Cleaning the Site
- Remove Infected Plugins:
- Identify Compromised Plugins: Use Wordfence or manual inspection to identify plugins that have been compromised. Common signs include modified or new files in the plugin’s directory that you did not add.
- Delete the Entire Directory: It’s generally safer to delete the entire directory of the compromised plugin rather than trying to clean individual files. This can be done via FTP:
- FTP: Navigate to the
/wp-content/plugins/
directory and delete the folder of the compromised plugin. - WordPress Admin Interface: Alternatively, you can go to the Plugins section in your WordPress dashboard, deactivate the compromised plugin, and then delete it directly from the interface.
- FTP: Navigate to the
- Use SSH for File Examination:
- Access Your Site via SSH: Secure Shell (SSH) allows you to securely access your server’s command line, which is useful for deeper inspection and cleaning.
- Find Recently Modified Files: Use the
find
command to list files that have been modified recently. This can help you locate files that were altered during the hack. Example command:find /path/to/wordpress/ -type f -mtime -7
(this finds files modified in the last 7 days). - Search for Malicious Code Using Grep: Use the
grep
command to search for common malicious code patterns within your files. For example:grep -r "base64_decode" /path/to/wordpress/
can help identify encoded malicious scripts.
- Run Wordfence Scan:
- Installation and Activation: If Wordfence is not installed, add it through the WordPress plugin directory and activate it.
- Full Site Scan: Navigate to the “Scan” menu in Wordfence and initiate a full scan. This will check all your WordPress files, themes, plugins, and the database for malware, malicious URLs, and known backdoors.
- Resolve Detected Issues: Wordfence will list any issues found. You should:
- Quarantine Malicious Files: Use Wordfence’s options to quarantine or delete any files that are confirmed as malicious.
- Restore from Original Sources: If Wordfence identifies modified core files or plugin files, restore these from original sources or reinstall the plugin/theme.
- Perform a High-Sensitivity Scan: After resolving the initial issues, adjust Wordfence settings to enable high sensitivity for a more thorough scan. This can uncover more subtle or deeply embedded threats.
Detailed Cleaning Steps
- Upgrade WordPress and Plugins:
- Update Everything: Ensure that your WordPress core, themes, and all plugins are updated to their latest versions. Outdated software often has vulnerabilities that hackers exploit.
- Check for Deprecated Plugins/Themes: Remove any plugins or themes that are no longer maintained by their developers. These are prime targets for hackers.
- Change All Passwords:
- Administrative Accounts: Immediately change the passwords for all administrative accounts. Use strong, unique passwords that combine upper and lower case letters, numbers, and special characters.
- All User Accounts: It’s advisable to change passwords for all user accounts, especially those with higher-level permissions like editors or contributors.
- Database and FTP Passwords: Don’t forget to change your database and FTP passwords as well. These are often targeted by hackers.
- Perform Detailed Scans:
- Basic Scan: Start with a basic Wordfence scan to catch the most obvious threats and infections.
- High-Sensitivity Scan: Next, enable high-sensitivity scanning in Wordfence. This more rigorous scan can detect deeply hidden malware or more sophisticated attack vectors that a basic scan might miss.
- Inspect and Clean Files:
- Review Suspicious Files: Carefully inspect any files that Wordfence flags as suspicious. Common malicious code includes obfuscated PHP scripts, unauthorized scripts in JavaScript files, or hidden iframes.
- Manual Review: If you are familiar with code, manually review suspicious files. Look for unauthorized modifications, such as injected code or unfamiliar file inclusions.
- Delete Entire Directories: For compromised plugins, it’s often safer to delete the entire plugin directory rather than attempting to clean individual files. Reinstall the plugin from the official WordPress repository to ensure you’re using a clean, safe version.
Final Verification
- Run Another Scan:
- Final Sweep: After completing the cleaning process, run another full scan with Wordfence to ensure that all traces of the hack have been removed.
- Confirm Clean Status: Check that the scan results show no remaining issues. If any problems persist, repeat the cleaning process for those specific files or plugins.
- Consider Professional Support:
- Wordfence Care: If you’re unsure about the cleaning process or if issues persist, consider subscribing to Wordfence Care for expert support during regular business hours.
- Wordfence Response: For critical situations that require immediate attention, Wordfence Response offers 24/7 emergency support to help restore your site to a secure state.
Post-Cleaning Steps
- Backup the Clean Site:
- Create a Fresh Backup: Once you’re confident that the site is clean, create a new backup of your website. Store this backup securely so that it can be used in case of future issues, especially to prevent reinfection from a WordPress backdoor.
- Implement Security Best Practices:
- Regular Updates: Consistently update WordPress core, themes, and plugins to their latest versions as new updates are released.
- Strong Passwords: Ensure that all user accounts use strong, unique passwords. Consider using a password manager to generate and store secure passwords.
- Security Plugins: Install and properly configure additional security plugins to provide an extra layer of protection. Wordfence, iThemes Security, and Sucuri are popular choices.
- Monitoring and Maintenance: Regularly monitor your site for any unusual activity or signs of compromise. Implement routine security scans and audits as part of your site maintenance schedule.
Conclusion
This supply chain attack on WordPress.org plugins serves as a stark reminder of the ever-present risks in digital security, particularly the threat of WordPress backdoors. Website administrators must remain vigilant, ensuring their sites are updated, regularly scanned for vulnerabilities, and promptly cleaned of any infections. Wordfence provides essential tools and support for managing these security challenges, helping to safeguard the integrity and functionality of WordPress websites.
By adhering to the detailed steps outlined above and staying alert to further developments, WordPress site administrators can effectively mitigate the risks posed by such malicious activities, including WordPress backdoors, and ensure the ongoing security of their digital assets. Stay proactive and secure in managing your website’s health and safety.