There are a lot of time-saving apps, CSS frameworks, and JavaScript libraries you can use as a WordPress developer to simplify your workflows. But plugins? Especially ones found in the WordPress repository or from your WPMU DEV membership? Talk about convenience and instant satisfaction.

Plugins are definitely one of the pluses of building websites using WordPress. However, plugins can seriously compromise your site’s security if you’re not careful.

With 54% of detected vulnerabilities attributed to plugins, it’s no secret they’re the leading cause of WordPress security breaches. Of course, that can usually be boiled down to user error (i.e. a plugin wasn’t updated when it should have been). But sometimes these plugin security issues don’t have anything to do with that type of user error. Instead, they arise from other users; specifically, hackers who knowingly inject their own plugins with malicious code.

Yep, that’s right: there are fake WordPress plugins built with the explicit purpose of infecting websites. As you’ll soon see, these infections aren’t always easy to spot right away either. Let’s take a look at why hackers use WordPress plugins to crack their way into your website, how they do it, and what you can do to prevent it.

Fake WordPress Plugins That Tricked Everyone

Alright, so you know how to lock a WordPress site down pretty well. The admin area needs attention as does the root directory of your site. Any direct contact visitors make with your site needs to be fortified as does your web host’s servers. Basically, every angle needs to be covered.

But what do you do when the hack comes from inside your website?

Fake WordPress Plugins - Inside the House
Terrible movie. Great line.

Hackers who go to the trouble of building a fake WordPress plugin know what they’re doing. Many of the fake plugins that have actually harmed users’ websites passed through undetected because the code–at first glance anyway–appeared legit. There are also, scarily enough, fake plugins that didn’t start out that way.

If you’ve never encountered a fake WordPress plugin before, let me introduce you to a number of well-known cases:

Pingatorpin Plugin

Pingatorpin was a plugin in 2013 that wasn’t immediately identified as what it truly was. Sucuri had stumbled across a rather large number of websites containing malware, all sharing a similar set of files. It wasn’t until they started digging deeper that they realized the Pingatorpin plugin was the source of the spam running rampant on these sites.

SI CAPTCHA Anti-Spam Plugin

Wanna see something tricky? Then get a load of the SI CAPTCHA plugin, which, up until the summer of 2017, was actually a valid CAPTCHA plugin. In June, the plugin was purchased by another party and changed ownership. That’s when the problems began.

The new owner added code into the plugin that would allow a separate server of his to inject payday loan ads into users’ blog posts. It wasn’t the only plugin this hacker used either as eight other WordPress plugins were used as a means for gaining backdoor access to websites in order to run spam there.

There are crafty hackers like these who will purchase well-known plugins from developers and then issue updates with a vulnerability inside them that grants them access to users’ sites. They know that WordPress developers and other users who are hypervigilant about security are likely reluctant to use a little-known plugin from the repository, so this super devious move is actually really smart when you think about it.

WP-Base-SEO Plugin

Leave a Reply

Your email address will not be published. Required fields are marked *