Wordfence recently discovered new malware affecting WordPress sites via plug-ins.
An estimated 200,000 WordPress websites have fallen victim to the latest malware. This malwareinfects a site via a backdoor installed plug-in. This allows attackers to publish spam and view and collect IP addresses.
The latest malware was uncovered by Wordfence, a security firm, which focuses on content management. In their blog, Wordfence confirmed that the malware has been traced to a WordPress plug-in called Display Widgets. Display Widgets was supposedly designed in order to manage the way in which plug-ins are displayed on any given WordPress site.
Reports from SecurityWeek stated that the creator of Display Widgets sold it in June 2017, after this, it was updated to contain a backdoor. The backdoor and plug-in malware was originally noticed by David Law, a freelance SEO consultant. Law, in turn, notified Wordfence which removed the plug-in from WordPress.
Unfortunately, this was not the end of Display Widgets.
Shortly after removing the Display Widgets plug-in from the WordPress repository, Display Widgets reared its head again, however with a newly added file labeled geolocation.php. According to Bleeping Computer, this new updated version performed the same attack as its predecessor. Although site owners of infected sites did not notice any suspicious activity, Law managed to pick up on the malicious attack by tracking visits to an external server.
This has been an ongoing process of removing plug-ins just to have them reappear again, and was still happening earlier this month. According to SC Magazine, the current owner of Display widgets even made it clear that the plug-in was being updated to continue launching malware attacks in an, even more, suitable fashion. To date, the plug-in has reappeared a total of four times before being removed again.
David Law has published his findings pertaining to Display Widgets. The piece had an overview of the four different versions of the Display Widgets plug-ins as well as suggestions as to how one can remove it completely. WordPress has responded to these malicious attacks by banning the Display Widgets developer from the WordPress platform as well as creating a critical alert monitoring any activity from Display Widgets.
The damage caused by Display Widgets itself is not that critical and only spammed certain blogs and websites. Yet the techniques and pure insistence from the developer itself illustrated how powerful companies can be compromised when it comes to cybersecurity. The story has also put users on a higher alert when installing plug-ins.