boy dodging a ball in a dodgeball game

How To Avoid These Top 5 Hacked WordPress Plugin Exploits

One of the biggest fears of every website owner is the fear of getting hacked. Even if you are running just a small personal blog there is a good chance that your blog might get hacked. You are probably wondering why would someone hack your website and what can they get from it?

An important thing to understand is that most of the hacking is automated. It is counterproductive for a hacker to hack individual websites. Instead, they usually use automated bots that browse the internet in a similar way that search engines do, but with completely different intentions. The most common entry point for such bots is one of the plugins on the compromised website.

In this article, we will talk about some plugins that lead to mass hacks. If you want to avoid being part of similar hacks in the future there are two things you should always do; use only the best WordPress plugins available, and always keep them up to date.

1. Easy WP SMTP

One of the most recent plugin exploits that resulted in thousands of websites being hacked started on March 15, 2019. Easy WP SMTP’s main feature lets the website owners configure SMTP settings of outgoing emails. After the latest patch of the plugin, two hacker groups found a way to abuse that change and modify an option that controls the permissions of roles on WordPress websites. With access to those permissions, they could easily enable any subscriber (in this case themselves) to have the same responsibilities as the admin, essentially creating a duplicate admin account. Once a duplicate admin account was created, hackers continued to hijack traffic from the compromised website.

NinTechNet was the first to notice the attack and they informed the company behind Easy WP SMTP about the attacks. The author of the plugin released the new version on the same day. If you are using that plugin it is recommended that you update it immediately and check for any newly added accounts both on the subscriber and admin level.

2. Snap Creek Duplicator

Last September another mass hack started with the exploitation of a plugin. In this case, attackers were compromising WordPress websites by removing or modifying files on the websites that used outdated versions of the plugin. Such websites were vulnerable to a Remote Code Execution attack. RCE is a type of attack where a hacker is able to remotely run any code on the compromised website.

Even the websites with updated plugins were vulnerable during these string of attacks. In many cases, vulnerable files created by an old version of the plugin remained in root folders of the website despite a new version of the plugin being installed. The only sites that remained secure during these attacks were the ones that never used the older versions of the plugin and those that manually removed the files left behind by the older versions.

3. SoakSoak mass hack

In 2014 a vulnerability in the RevSlider plugin resulted in hundreds of thousands of WordPress websites getting hacked and infected with malware. The incident was named by the first domain in the malware’s redirection path (soaksoak.ru).

Everyone who purchased the RevSlider plugin directly from the developer had an auto-updater included in the plugin. The problem was that websites which got RevSlider included in the theme they purchased didn’t have such auto-updater and were running one of the earlier versions of RevSlider. Those earlier versions had a vulnerability which allowed remote attackers to download any file from the server and then use it to steal database credentials.

Once an attacker has database credentials they can modify the database of the website and pull of some pretty serious attacks on the website. In this case, the attack was serious enough that over 11,000 domains were blacklisted by Google in a single day.

4. Jetpack plugin

A new way to use plugins in hacking was devised last year. This type of hacking of websites is complex and requires several steps. The first step is to obtain usernames and passwords and use them to log into a WordPress account. One condition that has to be met in order for this step to succeed is that the target account doesn’t have two-factor authentication enabled.

The next step was to use Jetpack, a plugin that lets users connect to multiple self-hosted WordPress sites via one account and manage them all via the Jetpack plugin installed on each of the websites. Once this step is completed a hacker can choose how to proceed from a wide set of options. Most common attacks consisted of uploading malicious files to multiple sites at once or installing plugins on previously secure websites in order to enable the hacker to breach those websites as well.

5. Disqus hack

In 2012 a popular comments plugin Disqus was hacked. Although this hack consisted of hacking just one plugin, accounts of millions of users who registered for Disqus on different websites were compromised. Luckily Disqus developers reacted quickly and reset passwords for all users before proceeding to eliminate the vulnerability in the plugin.

Due to the quick reaction of Disqus the damage was mitigated and the only consequence was that some users received spam emails. However, this example shows how a vulnerable plugin can cause damage, not only to the plugin developer and website owner but to all customers of the website that uses a plugin.

Final word

In this article, we have shown 5 different examples of mass hacks that were all connected to plugins but executed in different ways. It is clear that plugins can create serious vulnerabilities on your website and damage not only you but your customers as well. This means that you are responsible for keeping your customers safe by monitoring for issues and staying ahead of the curve. The ways you can mitigate the risk of being attacked through the plugins you use is to use only the best plugins, always keep them up to date, keep your website files clean of all the files generated by outdated versions of plugins, and always use two-factor authorisation for your WordPress account.