Hackers have come up with a never-before-seen method of installing backdoored plugins on websites running the open-source WordPress CMS, and this new technique relies on using weakly protected WordPress.com accounts and the Jetpack plugin.
The technique is highly complex, and to compromise a site, a hacker must go through different steps, during which multiple things can prevent the attack from being successful.
Nevertheless, attacks have been happening since May 16, according to
report from WordPress site security firm Wordfence and several
posts on the official WordPress.org forums from site owners that had their sites hijacked by crooks.
How this new attack works
The first step of this attack consists of hackers taking usernames and passwords from public breaches and attempting to log into WordPress.com accounts.
Users who reused passwords across accounts and who did not enable two-factor authentication for their profiles are susceptible to these account take-over attempts.
To be clear, WordPress.com accounts are used to manage professional blogs hosted by Automattic, and are different from both WordPress.org accounts and admin accounts for self-hosted WordPress sites that based on the open-source CMS.
... ... ...
