Three Years Later, Hundreds of Sites Still Use Backdoored WordPress Plugins

WordPress drop-down menu

More than a year after revealing the presence of intentionally malicious code inside the source code of 14 WordPress plugins, experts warn that hundreds of sites are still using the boobytrapped components.

In late October 2016, security experts from White Fir Design —the company behind the “Plugin Vulnerabilities” WordPress plugin— warned the public about the presence of mysterious code inside 14 plugins that allowed an attacker to execute remote code on WordPress sites.

“The code didn’t really look like it had a legitimate purpose, possibly indicating that the code was intentionally malicious,” experts said.

Malicious plugins removed from WordPress site in 2014

White Fir tied the 14 plugins to a 2014 blog post from Thomas Hambach, a web developer living in Hong Kong, who discovered the same malicious code

Hambach said that attackers were using the malicious code to insert SEO spam links on hijacked sites, and emailing the attacker the site’s URL, and other details.

The WordPress team intervened following Hambach’s discovery, and by February 2014 had removed the plugin he found, and by late 2014, they removed all the 14 malicious plugins from the official WordPress Plugin Directory.

Despite actions from the WordPress team, White Fir experts say they’ve continued to detect requests throughout 2015 from various IP addresses trying to access the malicious code specific to the backdoored plugins.

Hundreds of WP sites continued to use backdoored plugins

These past attacks came into the spotlight again when recently, the WordPress Plugin Directory was changed so that the pages for old plugins that have been closed remain visible, albeit with the download option disabled. Previously, these pages were not accessible to the public.

Pages for all the former plugins that featured the intentional malicious code show that even after almost three years after the WordPress team removed the plugins from public download, there are hundreds of sites that still use them.

One of the 14 plugins featuring the backdoor code

Plugin Name Active Installs
return-to-top 50+
 page-google-maps 500+
gallery-slider 300+
g-translate 60+
share-buttons-wp 200+
mailchimp-integration fewer than 10
smart-videos 70+
seo-rotator-for-images 70+
ads-widget 40+
seo-keyword-page 200+
wp-handy-lightbox 500+
wp-popup fewer than 10
google-analytics-analyze 70+
cookie-eu fewer than 10

All the sites using these plugins can be hacked by any attacker knowing what to look for. The sites are most likely abandoned and long-forgotten projects, one of the Web’s biggest problem, also known as “website rot.”

WordPress team has limited options at its disposal

Trying to protect users from easily hackable sites that could be abused for malware distribution and more, some experts have suggested that the WordPress team alert site owners when a plugin has been removed from the official WordPress Plugins Directory for security reasons.

WordPress staffers quickly shot down this idea, saying that this would put WordPress sites at a greater risk.

“IF an exploit exists and we publicize that fact without a patch, we put you MORE at risk,” said Mika Epstein, a member of the WordPress team. “If we make it known there is an exploit, [MOST] hackers attack everyone. If we don’t tell anyone, then hackers who DO know will attack, but they would have anyway.”

But experts weren’t happy with this resolution, and some argued that WordPress staffers should take the very intrusive step of removing the vulnerable plugins from affected sites.

The problem with this suggestion was that it created a moral and legal dilemma between safeguarding sites from hacks and breaking functionality on some websites by removing plugins —and indirectly some features.

One year after those discussions, the WordPress team appears to have chosen a different path, as it was showcased with the case of another backdoored WordPress plugin that affected over 300,000 sites.

For the moment, to fight off some major security threats, it appears that WordPress developers will roll back malicious plugin changes to the last clean version of the same plugin, which they’ll pack as a new updated and force-install it on all affected sites. This way, any major vulnerability/backdoor is removed, but site functionality is kept somewhat intact. But this course of action takes precious time away from the WordPress team and is deployed with major security issues only.

In the meantime, site owners can install one of the many security plugins available on the WordPress Plugins Directory and audit their site for old plugins that feature security flaws.