If you own or manage, a WordPress website then you should not need reminding that keeping the site core, themes, and all its plugins fully up to date is imperative if you want to avoid malware and being hacked.
That may be easy for me to say as this is my job, managing websites for clients, but I appreciate that if you are in business maintaining your website may not always be at the top of your priority list.
So why am I mentioning this now? Antivirus vendor Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. That means that even custom websites based on WordPress are vulnerable. The program targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities. It exploits 30 vulnerabilities in a number of plugins and themes.
If a site is using an outdated version of a plugin or theme or has not applied crucial fixes, the targeted web pages are injected with malicious JavaScript. The result being that when a visitor clicks on any area of an attacked page, they are redirected to another site.
Now named Linux.Backdoor.WordPressExploit.1 the trojan receives the address of the website it is to target from a C&C server and then tries to exploit 19 known vulnerabilities in a number of WordPress plugins and themes. In doing so, it starts 250 separate processes. If any vulnerability is not patched and the exploitation was successful, the backdoor informs the C&C server about this.
Plugins and themes that the trojan tries to exploit:
- WP Live Chat Support Plugin
- WordPress – Yuzo Related Posts
- Yellow Pencil Visual Theme Customizer Plugin
- Easysmtp
- WP GDPR Compliance Plugin
- Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972);
- Thim Core
- Google Code Inserter
- Total Donations Plugin
- Post Custom Templates Lite
- WP Quick Booking Manager
- Facebook Live Chat by Zotabox
- Blog Designer WordPress Plugin
- WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233);
- WP-Matomo Integration (WP-Piwik)
- WordPress ND Shortcodes For Visual Composer
- WP Live Chat
- Coming Soon Page and Maintenance Mode
- Hybrid
Whilst it may seem that redirecting website visitors is an inconvenience and may only affect badly maintained or abandoned sites the trojan has an unimplemented functionality for hacking the administrator accounts of targeted websites by checking known logins and passwords with the help of special vocabularies (the brute-force attack method). This functionality may have been present in earlier modifications of the trojan, or is planned for inclusion in its future versions.
An updated version of the payload that Dr. Web observed in the wild also targets the following WordPress add-ons:
- Brizy WordPress Plugin
- FV Flowplayer Video Player
- WooCommerce
- WordPress Coming Soon Page
- WordPress theme OneTone
- Simple Fields WordPress Plugin
- WordPress Delucks SEO plugin
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher
- Rich Reviews plugin
The new add-ons targeted by the updated variant indicate that the development of the backdoor is active at the moment.
As you can see there are some very popular themes and plugins included in this list so keeping your site fully up to date to avoid being hacked is of paramount importance. Sometimes this may well mean deleting a plugin that is no longer being maintained and replacing it with an alternative that does the same task and is fully up to date.
If you don’t really have the time it is well with the cost of employing a WordPress specialist to manage and maintain your website to ensure it is never at risk.
We offer a Managed Website Service with competitive pricing starting at as little as $200pa. So please don’t take chances and just hope your site is not hacked. Take action now and enjoy peace of mind knowing you have everything under control.