Sizable Campaign Targets Old & Outdated WordPress Plugins

  • Post author:
  • Post category:Security

This week emphasizes the importance of keeping a website up to date.

A notable hacking campaign potentially affecting a huge number of websites began again late last week and is ongoing. The attacker is once again searching out WordPress websites that use old and outdated (albeit widely-used) plugins. It is the ‘widely-used’ part that makes the attack problematic. Because the targeted plugins are so widely used, there is a good chance the attacker is having some fortune at locating, and then taking control over, vulnerable websites.

Last week a security vulnerability was discovered in one of the world’s most popular web form creator plugins — Ninja Forms. If successfully exploited an attacker could craft a phishing email. The phishing email would most likely have a link that, if followed, would execute a malicious PHP script.

Also this past week a security vulnerability was discovered in a popular page builder addon-on — Elementor (Pro version). Also affected by the same vulnerability was a plugin named Ultimate Addons plugins. If exploited this vulnerability could allow for an attacker to gain administrative access to a site. Both plugins have since received updates by their creators.

Last week a security vulnerability was found in SiteOrigin — a plugin installed on over 1 million websites. Successful exploitation could result in the execution of malicious code in the administrator’s browser — if the attacker can trick the administrator into (for example) clicking on a link that then executes a malicious script.

On April 23rd GoDaddy announced that the SSH usernames and passwords of 28,000 customer accounts had been compromised by an unauthorized individual in the hosting environment.

There are countless other exploits that affect websites. This is only a tiny slice of what happened in the computer security arena last week. Similar attacks occur non-stop — 52 weeks a year. Some are automated (bots), some are accomplished through straight hacking, and some exist as hybrids. It simply isn’t possible to know every line of code in every website so one of the best defenses is a good offense.

A good offense is having up-to-date software, so update often. There is no guarantee a 0-day can’t still nip you in the butt, but for the effort required, updating is the quickest and easiest thing that you can do to protect your website.

As well, look at the entire operating environment. Configure supporting apps to limit exposure by disabling unused options. Ensure that options enabled out of their default [off] settings aren’t introducing additional vulnerabilities. Again, make sure that updates (and/or mitigation) are applied as quickly as possible when vulnerability is announced.

As well as staying on top of security-related issues, I provide ongoing website maintenance. Learn more…