A total of 200,000 WordPress sites have been infected by a recent malware attack from the Display Widgets plug-in. The plug-in installs a backdoor and enables malicious actors to collect IP addresses, publish spam and more.
According to WordFence, the recent malware attack was traced to a Display Widgets plug-in. Display Widgets was established to manage how other plug-ins are shown on the websites. Although the plug-in has been blocked and removed, the malicious actor didn’t stop damaging websites easily.
Security Week reported that Display Widgets was sold by the original developer. Once sold, the plug-in was updated with a backdoor. David Law, a freelance SEO consultant detected the attack and notified Wordfence about the malware. Wordfence blocked and removed the plug-in just after being informed about its malicious activity.
Unfortunately, just after seven days, the malicious plug-in showed up again. And this time it contained an extra file called geolocation.php. The additional malicious file was added to the newly released version 2.6.1 and was able to apply the same technique like older versions in order to hit sites running on WordPress platform. The website’s admin panels did not display the malicious content, but D. Law discovered the malware by tracing visits to an external server.
The malicious plug-in remained to appear day by day. According to SC Magazine, its owner continues running the same type of attack: the plug-in appeared on WordPress at least four times in total before it was completely removed and blocked from the platform.
“If you have a plugin called “Display Widgets” on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor,” Wordfence reported.
WordPress blocked the developer and sent notifications and alerts every time the Display Widgets plug-in was deleted, with a critical warning below that the Display Widgets plug-in has been removed for wordpress.org.
Although the plug-in’s damage was limited to spamming, this story illustrates how persistent attackers can be and shows the relative ease which plug-ins can be updated and applied to malicious attacks.