WordPress sites hijacked via “free” premium plugins
If you run a WordPress site, and are trying to make some money through it, think twice before installing “free” versions of premium plugins.
Researchers from Sucuri have recently analyzed a couple of third-party websites offering such versions for download, and have discovered more than one plugin equipped with malicious code aimed at hijacking any WP site on which they are installed.
The lure is actually quite clever – it is well known that some people are simply never going to pay for software they think they can get for free. But, unfortunately, they might end up paying another kind of price later on.
What motivated the researchers to do a more in-depth investigatio in the matter was finding a “free” SEOPressor plugin installed on a severely infected site they were tasked with cleaning.
After analyzing the plugin’s obfuscated code, they discovered lines of code that notifies the developer who modified it of the URL of the site in question via email. The attacker then visits the site and adds specific parameters in the URL that allow the creation of a new admin user (with a specific password known to the attacker).
“The attacker can now log into WordPress with admin permissions and do whatever he wants with the blog, with the whole site (e.g. injecting a backdoor to some theme or plugin, and then using it to upload malicious files to the server), with the server account (all sites that share the same account can be easily compromised now) and even with the whole server,” the researchers note.
SEOPressor is not the only popular plugin that has been modified by attackers to make this kind of attack possible.
The webmaster of the aforementioned infected site shared with the researchers the origin of the plugins he used: Wplist.org, a third-party site that offeres WP themes, free plugins and tutorials for download.
A quick search revealed that one of the users who submitted one of the “free” premium plugins submitted four more, and all of them had the same malicious backdoors.
Further investigation of Wplist.org‘s offerings and that of its mirror site wplocker revealed five more recently submitted “patched” plugins.
This time, the submitter was the administrator of the site, who also promptly deleted any comments left by other users regarding the malicious nature of the plugins, then would replace it them with “retail” versions.
“Our conclusion is that this practice of posting plugins containing malicious code is typical for these sites,” the researchers said, and advised users to steer clear of pirated plugins (and software in general).
“Think about what you install on your server,” they urged. “Any third-party software that you install can do pretty much anything with your site, and in some cases, with your server. Not all functions may be declared. Many themes and plugins consist of thousands of lines of code and it takes only one line to add a backdoor that can potentially devastate your site. So if you install a plugin or theme, you’d better trust its author and the site where you downloaded it from.”
They advised downloading plugins from the official WordPress repository, or directly from its developer. “Don’t search for ‘free’ copies. Don’t trust links in forums or on sites that offer something that doesn’t belong to them. If you see some really appealing plugin description with a shady download link, then try a Google search for the original version of that plugin.”