WordPress plugins allow users to completely customize their website features and experience for visitors, and also serve as a mainstay of the WordPress experience. It’s safe to say that without them, WordPress wouldn’t have grown to power over 28% of the internet. But did you know that WordPress used to exist without plugins? In this post, I’ll give you a short history of when and why plugins came to be and what the future holds for WordPress because of them.
Fake, malicious WordPress plugins are not new. The proliferation of fake or malicious plugins generating spam files, though, has blossomed in recent months. We’ve seen blatant rip-offs of existing plugins, fake plugins that are one letter away from their legitimate counterpart, and even a created-from-scratch, malware-serving plugin using a ripped version of the WordPress.org plugins site.
This week we’ll discuss how fake or malicious plugins get on to WordPress sites, analyze a well known fake plugin to provide a sense of what they can do, look at a non-exhaustive list of fake plugins and a couple of interesting features, and discuss ways to avoid being victimized by fake or malicious plugins.
How Fake WordPress Plugins Infect Sites
Unfortunately there’s no one concrete way fake plugins end up on WordPress sites. We can however discuss a few common ways they are “installed.” And the first method is just that–a fake plugin is installed by the site owner.
Website Owner Installs
Malicious plugin authors are adept and persistent. Bad actors will co-opt existing, usually not well-known plugins, steal the code and post the plugin on any number of third-party WordPress sites. Unsuspecting site owners looking for some capability find the fake, malicious plugin, install it, and the new capability may or may not work. What is likely to work is the malicious code inside the fake plugin.
Compromise Of A Legitimate Plugin
The most likely way a fake WordPress plugin makes it onto a website is through the compromise of an existing, vulnerable plugin. The Revolution Slider vulnerability was a major and long-lasting battle with compromised WordPress sites and the resultant spam.
Compromised Website Logins
Another method fake plugins are installed is an FTP or hosting control panel credentials compromise. A compromised workstation is a password-stealing trojan away from transmitting sensitive user names and passwords to bad actors who may take complete control of a site and install any number of types of malware, including fake plugins.
An (In)famous Fake Plugin
We’ll begin our fake plugin survey with one of the most infamous fake WordPress plugins, the ‘Docs’ plugin. Docs, occasionally docs, is a spam file creator which creates hundreds if not thousands of .dat spam files. It places them in a directory named cache and maps the files with a file called sitemap.html. Here you can see the code that does just that.
And here is a partial directory listing of the generated spam files.
The spam files themselves, in this example, contain links shucking drug rehab.
<li><a href=”http://example.com/recovering-drug-addict-behavior”>Recovering drug addict behavior</a></li>
<li><a href=”http://example.com/recovery-from-pain-killer-addiction”>Recovery from pain killer addiction</a></li>
<li><a href=”http://example.com/drug-rehabilitation-near-me”>Drug rehabilitation near me</a></li>
<li><a href=”http://example.com/pcp-drug-treatment”>Pcp drug treatment</a></li>
<li><a href=”http://example.com/celebrities-in-recovery”>Celebrities in recovery</a></li>
.dat File Snippet
This spam will become an easy source of black hat SEO for the bad actors, boosting other sites’ rankings while hurting the SEO of the infected site — even causing the attacked site to become blacklisted by search engines.
A Few Fake WordPress Plugins We’ve Seen
Here is a non-exhaustive list of plugins we’ve seen while dealing with infected WordPress sites.
Sample Listing of Fake WordPress Plugins
A common tactic of fake plugins is to use legitimate comments or code to try to mask their existence. Take wp-amazing-updater for example. Wp-amazing-updater is a fake plugin which is a password protected uploader and more, and it uses the comments from the BNS Add Widget plugin in its main PHP file. Here are the fake plugin’s directory listing and the legitimate comments in the malicious plugin file.
Another fake plugin, theme-check, uses a barely obfuscated shell, the WSO shell, in its included file, db.php. Here is a snippet of the shell’s code.
Some fake plugins are overwhelmingly normal code while others are overwhelmingly malicious. Still others co-opt legitimate parts of a platform, here WordPress, to deliver the functions to exploit a site. The code below is from the ‘research_plugin’ that provides a simple to access backdoor. Function research_plugin(), which is an eval request to run arbitrary commands, is called whenever the theme is initialized through through the add_action hook.
How to Protect Yourself
It can be difficult to detect fake, malicious WordPress plugins installed on a website, especially if you don’t know what you’re looking for. The best thing a site owner or developer can do is regularly check the installed plugins through the WordPress admin dashboard, and look through the installation files directly in /wp-content/plugins with an FTP client or hosting control panel. Look for any plugins listed above or any that you do not recognize, and then check wordpress.org/plugins to search for the plugin’s directory name to verify if it’s legitimate.
Also using a security scanner, like SiteLock INFINITY malware scanning solution, can monitor your site for the malware contained in fake plugins and alert you to the plugins and, in the case of INFINITY, automatically clean the malicious content for you. Read what WP Buffs has to say about SiteLock then give us a call at 855.378.6200 to speak with a Website Security Consultant today.
Website security is one of those things that needs to be addressed (the horror stories of hacked websites are everywhere), but it tends to get put off for many reasons. Some of us underestimate the importance of securing our website, some are afraid it will be expensive, and some think it will be too hard to manage without an IT person on staff. The truth is, website security is critical to your business, but also very easy to implement.
We’ve listed three easy ways to improve your website security:
1. Ensure safe online shopping for your eCommerce customers
As an eCommerce website, you can maximize your sales opportunity by displaying a trust seal. Most website scanning services provide a trust seal to publish on the website’s homepage to show visitors that the website has been scanned and is free of malware and viruses. Trust seals are also used to boost customer confidence.
2. Update your plugins
This is one of the easiest things you can do to protect your website, and also one of the most important. Using outdated versions is the single most common way for a hacker to gain entry to your website, and all your information, and often that of your customers. So make a list of all the plugins and third-party software on your site, peruse it, and purge (uninstall) anything you no longer use. For the ones you do use and want to keep, make sure you have the latest versions and updates installed.
3. Educate your employees about phishing emails
If you are someone who is extremely cautious about opening emails from unknown or large company senders, it may be hard to believe anyone still opens phishing emails or (gasp!) downloads the enclosed attachments. But the reality is that not everyone is aware. And even those who are careful are often so busy and inundated with emails that a few might slip through the cracks. Plus, hackers are getting scary good at impersonating legitimate business emails – PayPal, FedEx, Apple, to name just a few – and luring victims to click on links in order to update account information, track a package, download an important update, etc. All you need is one employee to click on one of these fraudulent download links, and you could be handing over your entire business to a criminal. Financial data for you and your customers – stolen, and your reputation – ruined, in a matter of seconds.
Follow these three easy ways to improve your website security. If you need help with any of the items listed above, give the SiteLock experts a call 855.378.6200. We are available 24/7/365 to help.