200K WordPress Sites At Risk Of Attack

Last week, more than 200,000 WordPress sites were notified that they might be at risk of attack due to a plugin bug that enables hackers to overtake websites quickly.

The plugin in question was Code Snippet—a WordPress plugin that runs PHP code snippets more cleanly. It means you, as the site developer, no longer need to create custom snippets to your website theme’s functions .php file. With this mini-plugin, the functionality of your WordPress site is extended because there is less load on your website. Code Snippets keeps your .php file clean and runs them on your site more effectively.

However, the plugin was discovered to have a bug by the security firm Wordfence. The bug would allow hackers to inject a PHP code remotely without permission from the administrator. Once the attackers had infiltrated the site, they could execute malicious codes from anywhere. They could even create additional administrator accounts, infect site users, and extract private data.

The researchers at Wordfence discovered that the developers had created a mostly secure plugin and followed all the correct procedures, but there was still a vulnerability in the import function that meant that the plugin could be compromised easily.

Luckily, the plugin creators fixed the vulnerability on January 25th, within days of the discovery of the security flaw. Anyone who is a user of the Code Snippet plugin should make sure that they are using version 2.14.0. If you are using an older version of the plugin, you, your website, and even the visitors to your site could be vulnerable to attack. Update immediately to the patched version to ensure that your website is secure.

According to downloaded data of the most recent update, roughly 58,000 plugin users have updated their plugin, but 140,000 admins are still utilizing the old version, meaning that their site remains open to an easy attack.

The recent flaw was followed by another attack on thousands of WordPress sites that were infected by bad JavaScript. The malicious JavaScript was implemented to attempt to promote spam websites.

Through these vulnerabilities of JavaScript, the hackers were able to implement JavaScript, which started a loop and multiple redirects to “survey-for-gifts” websites. Unsuspecting users might be tricked into giving up their personal information or even accidentally installing malicious software on their computers.

Sucuri, a website security and website malware removal company, was the first to notice these bad actors. Sucuri released a statement saying, “Unfortunately for website owners, this malicious JavaScript payload is capable of making further modifications to existing WordPress theme files via the /wp-admin/theme-editor.php file. This allows them to inject additional malware, such as a PHP backdoors and hack tools, to other theme files so they can continue to maintain unauthorized access to the infected website,”

Because these hackers have been malicious using admin features to create fake directories, they are able to create even more malware by zip compressing files. Sucuri reported that 2000 sites had been infected. In order to stop the problem, Sucuri “encourages website owners to disable the modification of primary folders block hackers from inserting malicious files or includes as part of WordPress security hardening and security best practices.”

WordPress site owners need to be particularly diligent in keeping their website safe from hackers. According to Sucuri, WordPress accounts for 90% of compromised websites. Magento and Joomla sites account for just 4.6% and 4.3% of compromised sites, respectively.

The reason why WordPress is so vulnerable to attacks is due to the sheer popularity of the Content Management System (CMS). Because WordPress powers so many sites and is open source, it means that hackers are able to find more opportunities to exploit unsuspecting users.

One of the easiest ways you can keep your WordPress site secure is by updating WordPress regularly. With each new release of themes, plugins, etc., WordPress and its security are improved, and vulnerabilities are patched.

That is why some novice and even experienced WordPress developers choose to have managed WordPress hosting. It makes it easier to update all site plugins because your hosting provider will take care of updating all plugins for you. If you don’t know what it takes to keep your website updated, it is a good idea to invest in this type of hosting.

If you don’t have managed WordPress hosting, you will have to keep your WordPress site updated regularly. When a malicious bug or vulnerability is discovered, the WordPress support team will usually send a notification to you to force you to update your site.

Updating your WordPress site is very easy. All it takes is to click “update” on your dashboard, and it will typically only take a few seconds to make sure that your site stays secure. You might also have to go to “Installed Plugins” and “Appearances/Themes”  to make sure that you are using the latest version of each plugin and theme. You’ll be able to see easily which one is out of date. Taking a few minutes to do this every couple of weeks is vital to the security of your site.

Having a secure WordPress site doesn’t have to be impossible. Make sure to keep your website updated to keep it safe from hackers.