Hackers are targeting sites which use the popular web hosting platform WordPress by infecting some common plugins. According to security researchers with Wordfence, the WordPress plugins hack affected more than nine different plugins. The vulnerabilities allowed hackers to create false administrator accounts on some websites using the plugins.
WordPress plugins hack uncovered
In a blog post, a Wordfence researcher said most of the attacks from the WordPress plugins hack came from one IP address which is for a Rackspace server which hosts some websites which are presumed to have been compromised. The security firm said it reached out to Rackspace to warn them about the compromised websites on its server but did not hear back as of the time the researchers wrote the blog post.
The plugins which were hacked include:
- Blog Designer
- Bold Page Builder
- Form Lightbox
- Hybrid Composer
- Live Chat with Facebook Messenger
- All former NicDark plugins, which include nd-learning, nd-travel, nd-booking and others
- Visual CSS Style Editor
- WP Live Chat Support
- Yuzo Related Posts
Researchers said the WordPress plugins hack injected scripts which threw up malicious redirects or other unwanted popups in the browsers of visitors. Since the hack was originally detected in July, the hackers have added another script which tries to install a backdoor into the website by exploiting an administrator session.
What to do about the hack
Whenever the administrator logs into an infected WordPress site, the new script tries to use their credentials to create a new administrator account using the name wpservices. The hackers control the new malicious WordPress account and use it to complete various other activities. Wordfence researchers believe the creation of the malicious administrator accounts is a sign that the hackers may be preparing to conduct even more attacks using infected WordPress websites.
Website administrators who use WordPress are advised to update all of their plugins to the newest version to keep their sites from being exposed to the attack. Researchers also advise removing malicious accounts created by the malware and scanning their site to ensure there are no other backdoors installed.