The world of WordPress security has been shaken again as multiple popular WordPress plugins have been compromised, enabling attackers to create rogue administrator accounts and perform arbitrary actions on vulnerable websites.
Malicious Code Injected to Gain Admin Access
According to Wordfence security researcher Chloe Chamberland, malicious code has been injected into certain WordPress plugins, allowing attackers to create new admin accounts remotely. These admin accounts, once established, give hackers full control of the site and access to sensitive information. This malware, once activated, sends the account details to an attacker-controlled server.
Additionally, attackers have injected malicious JavaScript into the website’s footer, which is being used to distribute SEO spam across compromised sites. This can severely damage the website’s reputation and SEO ranking, as spammy and irrelevant content begins to appear throughout the site.
Compromised Plugins and Actions to Take
The rogue admin accounts being created usually have the usernames “Options” and “PluginAuth,” with details being exfiltrated to the IP address 94.156.79[.]8. The exact mechanism used by attackers to compromise these plugins remains unknown, but the first signs of this attack were detected on June 21, 2024.
The following WordPress plugins are confirmed to be affected:
- Social Warfare (v4.4.6.4 – v4.4.7.1) – Patched in v4.4.7.3 (30,000+ installs)
- Blaze Widget (v2.2.5 – v2.5.2) – No patch available (10+ installs)
- Wrapper Link Element (v1.0.2 – v1.0.3) – No patch available (1,000+ installs)
- Contact Form 7 Multi-Step Addon (v1.0.4 – v1.0.5) – No patch available (700+ installs)
- Simply Show Hooks (v1.2.1) – No patch available (4,000+ installs)
These plugins are temporarily unavailable for download on the WordPress plugin directory while further review is conducted.
What to Do If Your Site is Compromised
If you’re using any of these plugins, you must immediately check your website for any suspicious administrator accounts, especially those with the usernames “Options” or “PluginAuth.” Deleting these accounts should be your top priority. In addition, inspect your site for any unusual JavaScript code, particularly in the footer section.
Here are a few key steps you should take if you suspect your website is compromised:
- Remove Suspicious Accounts: Delete any rogue admin accounts you don’t recognize.
- Inspect Website Code: Look for injected JavaScript, particularly in the footer, and remove it.
- Update Plugins: If patches are available, update to the latest versions immediately.
- Monitor Logs: Keep an eye on your server logs for suspicious activity or IP addresses.
- Change Admin Passwords: After cleaning up, update all admin credentials for added security.
Protecting Your WordPress Website
WordPress websites are popular targets for hackers, so it’s essential to stay vigilant about security. To reduce the risk of future attacks:
- Keep your plugins, themes, and WordPress core up to date.
- Use a trusted security plugin like Wordfence or Sucuri to monitor and protect your site.
- Regularly back up your website to ensure you can restore it in the event of an attack.
- Limit the number of administrator accounts and only grant admin access when absolutely necessary.
By taking proactive steps, you can mitigate the risk of your website falling victim to malicious attacks. Stay informed, keep your software updated, and regularly check for suspicious activity to safeguard your WordPress website from hackers.
One Response
Great article! I really appreciate the clear and detailed insights you’ve provided on this topic. It’s always refreshing to read content that breaks things down so well, making it easy for readers to grasp even complex ideas. I also found the practical tips you’ve shared to be very helpful. Looking forward to more informative posts like this! Keep up the good work!