- Security researchers find more than 5,000 websites carrying a piece of malicious code
- The malware installs a plugin that steals login credentials and sensitive data
- The researchers recommended a number of mitigation measures
Thousands of WordPress websites were observed running malware able to create a rogue admin account and exfiltrated sensitive data through malicious plugins.
A new report from security researcher Himanshu Anand from c/side claims said at least 5,000 WordPress websites were found hosting a malicious script that creates an unauthorized admin account with a username and password that can be found in the code.
After creating the account, the script will download a malicious WordPress plugin, and run it. The plugin, which wasn’t named, is tasked with exfiltrating sensitive data to a remote server. The data being pulled includes admin credentials and operation statuses, it was added.
How to defend
The researchers could not determine exactly how the malicious code ended up on these websites.
“So far, we haven’t identified a common denominator, and our investigation is ongoing,” Anand said.
Those interested in double-checking if their website is secure or not should visit one of these websites, the researcher advised:
To defend against the attacks, c/side recommends blocking the domain https://wp3[.]xyz in firewalls or security tools, auditing WordPress admin accounts for unauthorized users, removing suspicious plugins and validating existing ones, and strengthening CSRF protections and implementing multi-factor authentication (MFA). Ultimately, they recommend using c/side’s services, too.
Being the most popular website builder on the planet, WordPress is constantly being targeted by threat actors. However, since the platform is secure for the post part, attackers are focused on third-party plugins and themes, especially free-to-use ones, which often don’t have the right software support.
As a general rule of thumb, businesses should only use plugins and themes from reputable sources and with a strong supporting community. They should also make sure to uninstall any plugins they are not using, and to keep the remaining ones up to date.