For the past two and a half months, a WordPress plugin named Display Widgets has been used to install a backdoor on WordPress sites across the Internet.
The backdoor code was found between Display Widgets version 2.6.1 (released June 30) and version 2.6.3 (released September 2).
The WordPress.org team has intervened and removed the plugin from the official WordPress Plugins repository. At the time it was removed, the plugin was installed on more than 200,00 sites, albeit we cannot be sure how many of these were updated to a version that included the malicious behavior.
More surprising is that WordPress.org staff members removed the plugin three times before for similar violations. A history of events is compiled below, put together with data aggregated from three different investigations by David Law, White Fir Design, and Wordfence.
Plugin sold to new developer in May
The original Display Widgets is a plugin that allowed WordPress site owners to control which, how, and when WordPress widgets appear on their sites.
Stephanie Wells of Strategy11 developed the plugin, but after switching her focus to a premium version of the plugin, she decided to sell the open source version to a new developer who would have had the time to cater to its userbase.
A month after buying the plugin in May, its new owner released a first new version — v2.6.0 — on June 21.
A day later, David Law, an SEO consultant and the author of a competing plugin named Display Widgets SEO Plus, sent an email to the WordPress.org team informing them that version 2.6.0 was breaking WordPress plugin rules by downloading over 38MB of code from a third-party server.
According to Law, this 38MB code contained tracking features that logged traffic on websites using the Display Widgets 2.6.0. The extra code was collecting data such as user IP addresses, user-agent strings, the domain where the data was collected, and the page the user was viewing. The plugin was also sending this information to a third-party server.
Other users also spotted this behavior and reported the issue via the plugin’s support forum on WordPress.org.
Following Law’s report, the WordPress.org team removed the plugin from the WordPress Plugins repository the following day.
A week later, on July 1, the plugin’s new author managed to reinstate the plugin and release a new version — v2.6.1. This version integrated the 38MB file (geolocation.php) inside the plugin, to avoid breaking WordPress.org rules which say that plugins cannot download code from third-party servers.
Law, who was already keeping an eye on the plugin, again contacted the WordPress.org staff about the plugin. This time around, he reported that the plugin was now featuring a malicious backdoor that allowed the plugin’s owner to connect to remote sites and create new pages or posts. The user traffic logging feature was also still present.
A day later, the plugin was removed from the official WordPress Plugins repository for the second time in a week.
Undisturbed by all the takedowns, the plugin’s new author tried his luck again. According to a plugin changelog, the new author published version 2.6.2 to the WordPress Plugins repository on July 6.
For a few days, the plugin appears to have stopped all malicious behavior. Unfortunately, this did not last. On July 23, a user named Calvin Ngan filed complaints [1, 2] with the WordPress staff, accusing the plugin of “[creating] undetectedable [sic] pages with spammy links.”
Just like Law did before, Ngan says he tracked the malicious behavior to the geolocation.php file, added by the plugin’s new author in version 2.6.1.
Investigators discovered that this version was creating new pages where it inserted links to other sites. These pages and blog posts did not appear in the backend administration panel. Furthermore, the plugin also hid these spammy pages from logged in users (usually site admins). Only logged out users — normal site visitors — were shown these new pages.
To create these secret posts, the plugin contacted a remote domain from where it retrieved the content it was supposed to insert in the page. Wordfence has tracked the plugin contacting the following domains, all hosted on the same server at 126.96.36.199:
stopspam.io registered July 2, 2017 w-p.io registered July 11, 2017 geoip2.io registered July 24, 2017 maxmind.io registered July 24, 2017
A day later after Ngan’s report, the WordPress team removed the Display Widgets plugin from the official site for the third time.
Once more, the new authors did not give up. On September 2 they upload version 2.6.3 to the WordPress repository.
Lo and behold, this version was also malicious because on September 7, another user complained once more about the plugin inserting spammy links into his site.
In two replies [1, 2] posted on the plugin’s support topic, two people posting from the plugin’s official account tried to downplay the incident, claiming their sites were hacked because when users combined the geolocation.php code with other plugins, they opened their sites to exploitation.
The other admin here. Unfortunately the addition of the GEO Location made the software vulnerable to a exploit if used in conjunction with other popular plugins.
The latest update fixed and sanitised the vulnerability. A simple empty of the cache & clearing of the wp_options table (if affected) should remove that post.
Again i apologise. But this should fix it. We estimate only around 100 or so sites to be comprimised.
Plugin removed for good
The plugin was once again removed from the WordPress.org Plugins repository on September 8, for the fourth time. This time, the removal seems to be permanent.
WordPress.org staff appear to have taken over the plugin and have released version 2.7.0 that includes the exact same code from version 2.0.5, the plugin’s last clean version, before it was sold to a new owner.
The plugin is not available on the WordPress.org official site anymore, meaning it’s not available for new installs, but the update will appear in the backends of WordPress sites where the plugin is still installed.
Plugin bought by company specialized in buying old plugins
The Wordfence team, led by its CEO Mark Maunder, has also invested some time into tracking down who was behind the backdoor attacks.
Maunder says he tracked down the plugin’s new buyer to a service called WP Devs. As the company’s site states on his homepage, they are a service that buys old and abandoned plugins, currently being in the possession of 34 other plugins.
According to Maunder’s investigation, WP Devs appear to be run by two persons, one from the US and one he believes is based in Russia.
Maunder also reached out to one of the WP Devs owners, who claimed that he bought the plugin for $15,000 and later resold it for $20,000 to a company in California that forced him to sign a non-disclosure agreement (NDA) that now prevents him from saying more. It is unclear if the WP Devs spokesperson was telling the truth, at the time of writing.
Maunder also points out that whoever was behind the four Display Widgets malicious versions inserted the backdoor code intentionally and this doesn’t appear to be the case where someone copy-pasted malicious code from another project by accident.
He bases his assumption on the fact that version 2.6.3 (the last malicious version) also included a bugfix in the backdoor code, meaning the plugin’s new author knew exactly what he was doing.
WordPress.org staffers are being called out
The Wordfence CEO also asked the WordPress community to be kind and understanding with the WordPress staff regarding this recent incident, despite malicious behavior being discovered four times in the same plugin.
“Please note that many of the forum moderators and plugin repository maintainers are volunteers,” Maunder says. “Please do not judge them harshly – in general they do a pretty darn good job of keeping an extremely large repository and support forum system running smoothly for the most popular CMS on earth.”
On the other hand, White Fir Design and David Law do not see it that way. Law especially, since he was admonished by a WordPress moderator who closed one of his reports on the grounds of “not [being] fine to go to that other plugin[‘s support forum] and speculate that way.”
White Fir Design representatives, who run the Plugin Vulnerabilities blog, would also like to see WordPress simplify the process of reporting security issues and some accounting on the side of WordPress.org maintainers.
“What this situation really calls for is a full accounting of what happened on the WordPress side, because the bits and pieces we have so far seem to indicate things went very wrong,” the White Fir Design team said. “Without knowing want went wrong it seems unlikely the problems will get fixed, so that when another plugin gets taken over by someone with malicious intent the damage caused does not go on like it did with this for several months.”
UPDATE [September 13, 16:55 ET]: Wordfence researchers have continued to dig into the new owners of the Display Widgets plugin, and they believe to have identified the person behind the plugin. They say he is the same person behind the hijacking of the 404 to 301 WordPress plugin, also used to show spam links and content on third-party sites without their owners’ knowledge.