As alarming as the title of this blog post is, no hype is intended and it’s absolutely accurate.
Recently at the end of 2017 and beginning of 2018, it came out that the WordPress.org repository had removed 4 plugins from its directory. This is because they found out that these four plugins had a backdoor through which malicious code could be injected into WordPress sites using these plugins, in what is called a supply chain attack.
What is a Supply Chain Attack?
Basically its when attackers use software updates to embed/inject malware, spam, or links into those sites using the software. This doesn’t affect just WordPress websites, because virtually all websites use software to operate.
So in the case of WordPress, these malicious actors would (this is most often the scenario) search for WordPress plugins in the WordPress repository, that seemed to have been abandoned by their developers/creators. Meaning these developers stopped providing regular support and updates to their plugins.
They would then approach the plugin developers with an offer to buy their plugins. Since most plugins (and themes) on WordPress are free to use, this creates an enticing offer to those developers who have stopped supporting their plugins, to cash out.
So these malicious actors purchase the plugin and create a plugin update, which is then downloaded by unsuspecting users of the plugin. This method of attack works because the users of these WordPress plugins have developed a trusting relationship with the software/plugin developer, expecting them to keep on supporting and updating their plugin(s).
What Plugins Are We Talking About?
So what plugins have recently been discovered to have fallen into this situation.
- Duplicate Page and Post
- WP No External Links
- No Follow All External Links
- Captcha Plugin
So How Do You Protect Your Site?
1.) As a rule of thumb be wary of downloading plugins that have not been updated for more than a year.
You would be surprised by how many plugins that haven’t been updated in more than 2 years. These unsupported plugins present 2 main issues to their users: performance and security.
Performance: WordPress is updated and upgraded pretty regularly, and as the new versions of WordPress come out, these plugins may stop working altogether. Or present conflicts that can make your website to stop working for your users. That’s why you often see this message next to a plugin that has not been updated to work with the current version of WordPress: Untested with your version of WordPress. So in general if a plugin has not been updated in the past 8-12 months, we tend to look for another.
Security: Any bugs and unplugged security holes discovered in a plugin, makes the plugin and its users a prime target for hacking and for your site potentially being compromised. In fact, most of the successful hacks in WordPress sites is due to themes, plugins, and even the WordPress core files not being updated frequently. So always backup your sites and update your themes, plugins, and WordPress itself.
2.) Screen the plugins you are about to install.
This goes for themes as well.
One of the ways you can do this is by looking at the reviews left by current and past users. I generally look at both the 5 star and 1 star reviews, because sometimes you can tell if past issues that generated the 1 star reviews have been resolved, or not. And if these past issues have been fixed by subsequent updates, this often leads to the more recent positive reviews.
Also, by looking at the 1 star reviews, you can tell if the recent reviews are these negative 1 star reviews. You can judge if the plugin developer seems to have stopped supporting and updating the plugin, because users keep leaving negative reviews and there hasn’t been a plugin update for a long time.
A general rule of thumb we use is, the more established and active the plugin developer is, the better.
3.) Remove any plugins that haven’t been updated for a while.
Here’s an easy way to tell if the plugins currently installed on your website haven’t been updated for a long time. Simply go to Plugins > Installed Plugins on left side of your WordPress dashboard. Then click View details which is normally next to the author of the plugin. Just like this image below shows.
4.) Scan your website regularly for malware.
A good plugin you can use to do that is Wordfence.
5.) Keep a close eye on your website
If you notice significant performance issues, funny looking code, spam, or links on your site, or anything out of the ordinary, start by running a malware scan. You can do that with the Wordfence plugin mentioned above. Sometimes, it can be pretty obvious that your site has been hacked.
Many times, you can have tell-tale signs something is a miss. At which point if you don’t know what to do, contact your website developer, or hire a professional service to have a look at your site.