Malicious WordPress plugin installed backdoor on thousands of websites

Widget plugin spewed spam to unsuspecting victims

Hackers have used a WordPress plugin to install backdoors on up to 200,000 websites, allowng spam to be uploaded onto unsuspecting websites. 

According to research carried out by IT security firm WordFence, the plugin, known as Display Widgets, should be removed immediately by website owners. The firm said that the last three releases of the plugin have contained code that allows the author to publish any content on an affected site.

"The authors of this plugin have been using the backdoor to publish spam content to sites running their plugin. During the past three months the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times," said Mark Maunder, CEO of WordFence. 

Maunder said that the plugin was originally developed by its original author as an open-source plugin but was then sold to others on 21 June. An updated version, 2.6.0 was released by its new owner immediately. WordFence was informed by David Law, a UK based SEO consultant, that the widget had begin installing additional code and then started downloading data from Law's on server.

On 23 June, WordFence removed Display Widget, and a week later, the new owner released version 2.6.1 of the plugin. This release contained a file called geolocation.php which, no one realised at the time, contained malicious code. This code allowed the plugin author to post new content to any website running the plugin, to a URL of their choosing. 

"Furthermore, the malicious code prevented any logged-in user from seeing the content. In other words, site owners would not see the malicious content. David Law again contacted the plugin team and let them know that the plugin is logging visits to each website to an external server, which has privacy implications," said Maunder.

On 1 July, the plugin was pulled from the WordPress repository, but then followed by version 2.6.2 on 6 July. Again, included the malicious code referenced above which had still gone unnoticed by anyone. 

It was on 23 July when a user, by the name of Calvin Ngan opened a Trac ticket reporting that Display Widgets was injecting spammy content into his website. He included a link to Google results that had indexed the spam and said the malicious code is in geolocation.php.

In September, version 2.6.3 of the plugin was released and it included the same malicious code. Last week, a forum user on WordPress.org reported that spam has been injected into their website on the Display Widgets plugin support forum. 

"The authors of the plugin are actively maintaining their malicious code, switching between sources for spam and working to obfuscate (hide) the domain they are fetching spam from," said Maunder.

The widget was removed permanentely on 8 September, but Maunder tracked down the plugin's new buyer to a service called WP Devs, which buys old and abandoned plugins.

His investigations found that the company appears to be run by one person in the US and possibly another in Eastern Europe, judging by linguistic errors made by the poster.

Maunder said that people in the WordPress community should not "start any witch hunts". 

"Occasionally plugins change ownership and very rarely, that doesn't go well. That appears to be what happened in this case," he said.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

8 most secure web browsers
web browser

8 most secure web browsers

25 Sep 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020

Most Popular

Windows XP source code allegedly leaked online
Microsoft Windows

Windows XP source code allegedly leaked online

25 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020