Multiple WordPress Plugins Compromised: Hackers Create Rogue Admin Accounts

The world of WordPress security has been shaken again as multiple popular WordPress plugins have been compromised, enabling attackers to create rogue administrator accounts and perform arbitrary actions on vulnerable websites.

Malicious Code Injected to Gain Admin Access

According to Wordfence security researcher Chloe Chamberland, malicious code has been injected into certain WordPress plugins, allowing attackers to create new admin accounts remotely. These admin accounts, once established, give hackers full control of the site and access to sensitive information. This malware, once activated, sends the account details to an attacker-controlled server.

Additionally, attackers have injected malicious JavaScript into the website’s footer, which is being used to distribute SEO spam across compromised sites. This can severely damage the website’s reputation and SEO ranking, as spammy and irrelevant content begins to appear throughout the site.

Compromised Plugins and Actions to Take

The rogue admin accounts being created usually have the usernames “Options” and “PluginAuth,” with details being exfiltrated to the IP address 94.156.79[.]8. The exact mechanism used by attackers to compromise these plugins remains unknown, but the first signs of this attack were detected on June 21, 2024.

The following WordPress plugins are confirmed to be affected:

• Social Warfare (v4.4.6.4 – v4.4.7.1) – Patched in v4.4.7.3 (30,000+ installs)
• Blaze Widget (v2.2.5 – v2.5.2) – No patch available (10+ installs)
• Wrapper Link Element (v1.0.2 – v1.0.3) – No patch available (1,000+ installs)
• Contact Form 7 Multi-Step Addon (v1.0.4 – v1.0.5) – No patch available (700+ installs)
• Simply Show Hooks (v1.2.1) – No patch available (4,000+ installs)

These plugins are temporarily unavailable for download on the WordPress plugin directory while further review is conducted.

What to Do If Your Site is Compromised

If you’re using any of these plugins, you must immediately check your website for any suspicious administrator accounts, especially those with the usernames “Options” or “PluginAuth.” Deleting these accounts should be your top priority. In addition, inspect your site for any unusual JavaScript code, particularly in the footer section.

Here are a few key steps you should take if you suspect your website is compromised:

1. Remove Suspicious Accounts: Delete any rogue admin accounts you don’t recognize.
2. Inspect Website Code: Look for injected JavaScript, particularly in the footer, and remove it.
3. Update Plugins: If patches are available, update to the latest versions immediately.
4. Monitor Logs: Keep an eye on your server logs for suspicious activity or IP addresses.
5. Change Admin Passwords: After cleaning up, update all admin credentials for added security.

Protecting Your WordPress Website

WordPress websites are popular targets for hackers, so it’s essential to stay vigilant about security. To reduce the risk of future attacks:

• Keep your plugins, themes, and WordPress core up to date.
• Use a trusted security plugin like Wordfence or Sucuri to monitor and protect your site.
• Regularly back up your website to ensure you can restore it in the event of an attack.
• Limit the number of administrator accounts and only grant admin access when absolutely necessary.

By taking proactive steps, you can mitigate the risk of your website falling victim to malicious attacks. Stay informed, keep your software updated, and regularly check for suspicious activity to safeguard your WordPress website from hackers.