According to WordPress, over 60 million people have chosen the software to power their websites. An ongoing “backdoor attack” is trying to compromise as many of them as possible. Here’s what you need to know.
What do WordPress website owners need to know?
A website hacking campaign, that has been ongoing since July, has morphed from redirecting browsers to sites containing dodgy adverts or malicious software into something that is potentially even more problematical. Mikey Veenstra, a researcher with the Defiant Threat Intelligence team, said that “the campaign has added another script which attempts to install a backdoor into the target site by exploiting an administrator’s session.”
In a warning posted to the WordFence security blog on August 30, Veenstra revealed that a malicious JavaScript dropped into compromised websites looks to “create a new user with administrator privileges on the victim’s site.” If a logged-in administrator is identified as viewing the infected page, it then goes on to make an AJAX call via jQuery, one that creates a rogue administrator account.
“This AJAX call creates a user named wpservices with the email wpservices@yandex.com and the password w0rdpr3ss,” Veenstra said, “with this user in place, the attacker is free to install further backdoors or perform other malicious activity.”
How are the attackers getting access to your website?
As is often the case where WordPress site compromise is concerned, the threat actors behind the current attack campaign leverage vulnerabilities in third-party WordPress plugins. The official WordPress website states that there are some 55,133 plugins available at the moment. According to an Imperva report looking at web application vulnerabilities, only 3% of these were newly added during 2018.
This means that there are a lot of old plugins out there, and likely still in use, which haven’t been updated for a while. Given that in the report Imperva revealed “98% of WordPress vulnerabilities are related to plugins,” the extent of the problem is easy enough to grasp.
If you are a WordPress-powered website owner using any of these plugins, then you are advised to check you have the latest updated versions. Follow the links above to check on update status, as most of these have already been patched. However, Veenstra warned that “it’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor.”
How can you best mitigate WordPress website threats?
“As always, updating the plugins and themes on your WordPress site is an excellent layer of defense against campaigns like these,” Veenstra said, “check your site for needed updates frequently to ensure you’re receiving the latest patches as they’re released.”
Ethical hacker John Opdenakker says that it’s “best to combine several layers of protection,” so as well as those plugin update checks he says, “it’s certainly a good idea to use a web application firewall to help block cross-site scripting (XSS) attacks.”
I would add that using two-factor authentication for admin access to the WordPress website isn’t optional these days; it’s a must-have.
This advice applies to all website owners that have taken the WordPress route to content publishing, not just the most popular or the big names online. Don’t think that just because you are a little fish in a big pond that the cybercrime sharks won’t bite you; they will. Criminals are always probing sites for ways to compromise them, either to use for serving malicious adverts, redirecting to other malicious websites or to get a foothold that can be leveraged as part of a bigger attack plan.