WordPress sites hijacked via “free” premium plugins

If you run a WordPress site, and are trying to make some money through it, think twice before installing “free” versions of premium plugins.

Researchers from Sucuri have recently analyzed a couple of third-party websites offering such versions for download, and have discovered more than one plugin equipped with malicious code aimed at hijacking any WP site on which they are installed.

The lure is actually quite clever – it is well known that some people are simply never going to pay for software they think they can get for free. But, unfortunately, they might end up paying another kind of price later on.

What motivated the researchers to do a more in-depth investigatio in the matter was finding a “free” SEOPressor plugin installed on a severely infected site they were tasked with cleaning.

After analyzing the plugin’s obfuscated code, they discovered lines of code that notifies the developer who modified it of the URL of the site in question via email. The attacker then visits the site and adds specific parameters in the URL that allow the creation of a new admin user (with a specific password known to the attacker).

“The attacker can now log into WordPress with admin permissions and do whatever he wants with the blog, with the whole site (e.g. injecting a backdoor to some theme or plugin, and then using it to upload malicious files to the server), with the server account (all sites that share the same account can be easily compromised now) and even with the whole server,” the researchers note.

via WordPress sites hijacked via “free” premium plugins.

Author: Daniel Garrie

Daniel Garrie is a renowned computer forensics, e-discovery, privacy, and cyber security expert and thought leader. Quoted in Forbes and profiled in the Los Angeles Daily Journal, he is a frequently retained neutral and Chair of Alternative Resolution Center’s (ARC) E-Discovery and Forensic Dispute Resolution practice. Today, Mr. Garrie is a Partner and General Counsel for Law and Forensics LLC, a boutique legal strategy and forensics firm that works with clients across industries to address privacy, e-discovery and forensic issues in the U.S. and abroad.In the past two years, Mr. Garrie has been involved in over 50 e-discovery matters both in the U.S. and abroad.