It was reported this morning that a malicious WordPress plugin has been discovered which has been used to hijack more than 200,000 websites.
The plugin called Display Widgets has been found to contain a backdoor that could allow hackers to access what is posted on the site and modify content on infected pages. Colin Domoney, Consultant Solution Architect at Veracode commented below.
Colin Domoney, Consultant Solution Architect at Veracode:
“One of the greatest threats of malicious WordPress plugins is that the technical or cybersecurity skill level of the average WordPress user tends to be significantly lower than that of a corporate security or IT department. By its nature and design, WordPress is easily extendable using the many powerful and freely available marketplace plugins; but there is nothing to stop an attacker embedding a malicious code into a plugin.
In this case, the malicious plugin could allow hackers to modify the content on infected sites, but just last month we saw another tactic used, whereby certain WordPress plugins were found to infect the host website with ransomware after attackers embedded a ransomware toolkit into the plugin.
With the massive number of organisations using WordPress sites, cybercriminals know that creating malicious plugins that directly target this platform offers massive potential. It’s crucial that if WordPress is to continue presenting itself as a credible and secure option for non tech-savvy end users that they educate their users about the potential risks and the best practice steps they can take to avoid falling victim to malicious plugins. Ensuring their users don’t assume plugins are secure by default and understand the value of conducting security scans of their websites will prove essential if they want to maintain their reputation and not have disgruntled users laying blame at their door.”