200,000 Websites Hit By Malicious Plugin Installing Backdoor
A malicious backdoor hack has been added to the “Display Widgets” WordPress plugin that has installed backdoors onto an estimated 200,000 websites since June this year.
Display Widgets is an open-source plugin which allows users to control how plugins appear on their sites, and the hacker has used this as the delivery mechanism. The persistence of the hacker is as remarkable as the number of sites that are infected, as WordPress.org removed the infected plugin on multiple occasions between June 22 and September 8, and each time the hacker replaced it.
While the plugin hasn’t been seen since September 8, a private company with its own security plugin for WordPress – Wordfence – has issued a warning to WordPress users.
“If you have a plugin called “Display Widgets” on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor,” WordFence wrote.
Content Management Systems such as WordPress have been targeted in such a way for many years. In this case, the backdoor allows unauthorised users to spam the targeted site – and with this particular plugin that’s thought to be in the region of 200,000 websites.
WordFence has also detailed the ongoing struggle by WordPress to resolve the issue. The creator legitimately built the original plug-in as an open source project and sold it on 21 June. That’s when the problems began…
WordPress Hack Timeline:
June 21: New owner releases updated version 2.6.0.
June 22: UK SEO consultant David Law sees that the widget is installing additional code and is downloading information from his server. He informs WordPress.
June 23: WordPress removes Display Widget.
June 30: Owner releases version 2.6.1 containing “geolocation.php” file. WordPress doesn’t recognise it as malicious code. The effect of the backdoor is the same, but it is more cunning in trying to avoid detection.
“Furthermore, the malicious code prevented any logged-in user from seeing the content. In other words, site owners would not see the malicious content. David Law again contacted the plugin team and let them know that the plugin is logging visits to each website to an external server, which has privacy implications.” WordFence wrote.
July 1: WordPress again pull the plugin.
July 6: Owner releases version 2.6.1. Still containing “geolocation.php”, and WordPress still doesn’t see the malicious code.
July 23: Another user finds Display Widget is spamming his website.
July 24: WordPress removes the plugin.
September 2: Owner releases version 2.6.3. Still with malicious code, and WordPress observe that several bug-fixes are in place. It is clear that the widget is actively being maintained.
September 7: Another user complains that the plugin is spamming their site.
September 8: WordPress remove the plugin for the final time.
WordFence added that every time the plugin was removed by WordPress it sent out a “Critical Alert” to warn its users and recommended that all WordPress users install the WordFence security plugin and keep an eye on email alerts.
If you have been affected by this malicious code and need help to fix it, or if you have any other queries regarding WordPress or your website in general, please don’t hesitate to contact Big Red Rocket. It’s what we love, it’s what we do.