Dodgy add-ons masquerading as patched versions of plug-ins
WordPress users have been warned about malicious plugins that claim to offer patches for legitimate add-ons, but actually give outside attackers access to sites based on the platform.
One such plugin, called SEOPressor, allowed the tool’s creator to make themselves admin for the affected site. That would let the attacker do whatever they wanted to the affected site.
Similar backdoor code was found in other add-ons, including Restrict Content Pro and Flat Skin Pack Extension, security firm Sucuri said in a blog post.
It later discovered many of the “patched” plugins were found on a site called wplist.org, where a user had uploaded the malicious files in summer 2013. In February and March 2014, similar files were added to the site and its sister website wplocker.com.
“Our conclusion is that this practice of posting plugins containing malicious code is typical for these sites. Moreover, when in their very own comments area people warn about malicious ‘extras’ they have found in the plugins, the admin readily replaces them with ‘retail’ versions,” Sucuri said.
It recommended site owners to avoid downloading any plugins from non-official channels.
“Think about what you install on your server. Any third-party software that you install can do pretty much anything with your site, and in some cases, with your server. Not all functions may be declared,” Sucuri added.
“Many themes and plugins consist of thousands of lines of code and it takes only one line to add a backdoor that can potentially devastate your site. So if you install a plugin or theme, you’d better trust its author and the site where you downloaded it from. On the road between the software developer and you, anyone could potentially make changes.”
Last year, Israeli firm Checkmarx warned of scores of flawed yet hugely popular WordPress add-ons, which could have been exploited by hackers to acquire control over a website.
What do you know about Internet security? Find out with our quiz!