Three Years Later, Hundreds of Sites Still Use Backdoored WordPress Plugins

[LASER_oneXM]

More than a year after revealing the presence of intentionally malicious code inside the source code of 14 WordPress plugins, experts warn that hundreds of sites are still using the boobytrapped components.

In late October 2016, security experts from White Fir Design —the company behind the "Plugin Vulnerabilities" WordPress plugin— warned the public about the presence of mysterious code inside 14 plugins that allowed an attacker to execute remote code on WordPress sites.

"The code didn’t really look like it had a legitimate purpose, possibly indicating that the code was intentionally malicious," experts said.

Malicious plugins removed from WordPress site in 2014
White Fir tied the 14 plugins to a 2014 blog post from Thomas Hambach, a web developer living in Hong Kong, who discovered the same malicious code

Hambach said that attackers were using the malicious code to insert SEO spam links on hijacked sites, and emailing the attacker the site's URL, and other details.

The WordPress team intervened following Hambach's discovery, and by February 2014 had removed the plugin he found, and by late 2014, they removed all the 14 malicious plugins from the official WordPress Plugin Directory.

Hundreds of WP sites continued to use backdoored plugins
These past attacks came into the spotlight again when recently, the WordPress Plugin Directory was changed so that the pages for old plugins that have been closed remain visible, albeit with the download option disabled. Previously, these pages were not accessible to the public.

Pages for all the former plugins that featured the intentional malicious code show that even after almost three years after the WordPress team removed the plugins from public download, there are hundreds of sites that still use them.

WordPress team has limited options at its disposal
Trying to protect users from easily hackable sites that could be abused for malware distribution and more, some experts have suggested that the WordPress team alert site owners when a plugin has been removed from the official WordPress Plugins Directory for security reasons.

WordPress staffers quickly shot down this idea, saying that this would put WordPress sites at a greater risk.

"IF an exploit exists and we publicize that fact without a patch, we put you MORE at risk," said Mika Epstein, a member of the WordPress team. "If we make it known there is an exploit, [MOST] hackers attack everyone. If we don't tell anyone, then hackers who DO know will attack, but they would have anyway."

But experts weren't happy with this resolution, and some argued that WordPress staffers should take the very intrusive step of removing the vulnerable plugins from affected sites.