A very persistent malicious actor added a backdoor to a WordPress plugin called Display Widgets that installed backdoors on possibly 200,000 websites since June 21.
The hacker used the open-source Display Widgets plugin, which lets users control how their WordPress plugins appear on their sites, as the delivery mechanism for the backdoor. Although the number of potentially infected sites is large, what is almost as impressive is the hacker's persistence. The infected plugin was repeatedly removed from the site by Wordpress.org between June 22 and September 8 with the hacker dutifully replaced it.
It was finally removed for good on September 8.
While it has not appeared again, Wordfence, a private company with its own security plugin for WordPress, issued a warning to WordPress users.
“If you have a plugin called “Display Widgets” on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor,” WordFence wrote.
WordPress and other content management systems have been a constant target for hackers over the years.
When active the backdoor allows unauthorized people to post spam content to the targeted site and is currently being used by about 200,000 websites.
WordFence also published the details of WordPress' long battle to eliminate the Display Widget. The plugin was legitimately developed as an open-source plugin, which was sold by its creator on June 21. Immediately the new owner released an updated version, 2.6.0. The next day WordPress was informed by David Law, a UK based SEO consultant, that the widget had started installing additional code and then began downloading data from Law's on server.
The WordPress team removed Display Widget on June 23. On June 30 the malicious actor tried again releasing version 2.6.1 which contained a file called geolocation.php which that was not recognized by the organization as malicious code. Like the first version this could also post content to any site running the plug in, but this time the malware had an extra twist.
“Furthermore, the malicious code prevented any logged-in user from seeing the content. In other words, site owners would not see the malicious content. David Law again contacted the plugin team and let them know that the plugin is logging visits to each website to an external server, which has privacy implications,” WordFence wrote.
This version was pulled on July 1 only to be followed by version 2.6.2 on July 6. This version still retained geolocation.php, still not recognized as malicious, along with other some minor changes, including an on/off option. This version stayed active until July 23 when another user said Display Widget was spamming his website resulting in the plugin again being removed on July 24.
Nothing happened in August, but on September 2 version 2.6.3 was issued. It still had the malicious code and WordPress noticed that the new developer had even fixed a few bugs in geolocation.php, which made it obvious the owner was purposefully maintaining the malware. September 7 saw another complaint made concerning the plugin forcing its removal the next day.
WordFence noted that each time the plugin was removed it issued a “Critical Alert” to warn users and it strongly recommended that all WordPress users have the WordFence security plugin installed on their computers and pay attention to the email alerts.