12 Aug, 2024

Malicious Code Infection: How to Secure Your WordPress Website

Let's learn more about the WordPress.org attack and what you can do to keep malicious code from affecting your webpage.
Plugins are a wonderful addition to any website. They allow you to customize your page and provide more functionality. However, recently, WordPress was the victim of a supply chain attack that led to the infection of malicious code on eight of their popular plugins. These attacks have affected many web pages owned by individuals. It's time to learn a little more about the attacks and what you can do to keep malicious code from affecting your webpage, whether you use WordPress.org or some other hosting service.

What Is WordPress.org?

WordPress.org is a free, open-source platform that allows people to create their websites, blogs, or other online products. WordPress.com hosts the websites, while WordPress.org distributes the space. WordPress.com and WordPress.org have been around since its debut on the internet in 2003. Since its inception, many people have contributed to the code, making the software better and easier to use.

You can also create a self-created website. Initially, people used WordPress for online blogs to share their opinions or information about their hobbies or interests. Over the years, people began using WordPress.org to distribute their website content. As an open-source platform, people can make changes to the software and make it their own to develop their content.

Many people, companies, and corporations use WordPress.com and WordPress.org to build and customize their websites. In fact, Whitehouse.gov, the official website of the White House, and Microsoft's blog is powered and built using WordPress software.

How Did the Supply Chain Attack Occur?

On June 22, 2024, the WordPress.Org Plugin Review team put out a statement on the forum that at least one plugin was affected by a supply chain attack that introduced malicious code onto the websites that use the plugin. The malware creates a new administrative account user and transmits it back to the hacking source. Most of these fraudulent accounts either use Options or PluginAuth as the name of the new administrative account.

The malware also adds corrupted JavaScript that creates SEO spam and attaches it to the footers on the infected website. This unsophisticated code was first injected into the plugins on June 21, 2024, and the hacking team continued to make updates to the hostile code over a several-day period.

The Eight Plugins Affected by the Malicious Code

The supply chain attack was originally recognized in a single plugin. However, WordPress.org and other contributors spotted and identified seven more over the next few hours and days. The plugins affected by the malicious code include:

  • Social Warfare, version 4.4.6.4 – 4.4.7.1: They've created a new patched version 4.4.7.3.
  • Blaze Widget, version 2.2.5 – 2.5.2: There isn't a patched version available yet.
  • Wrapper Link Element, version 1.0.2 – 1.0.3: A patched version doesn't seem to be available yet. However, the currently available version is 1.0.0, which seems to be an earlier version that preceded the infection.
  • Contact Form 7 Multi-Step Addon, version 1.0.4 – 1.0.5: There isn't a patched version available yet.
  • Simply Show Hooks, version 1.2.1: There isn't a patched version available yet.
  • WP Server Health Stats, version 1.7.6: They've created a new patched version 1.7.8.
  • Ad Invalid Click Protector (AICP), version 1.2.9: They've created a new patched version 1.2.10.
  • PowerPress Podcasting plugin by Blubrry, version 11.9.3 – 11.9.4: They've created a new patched version 11.9.5.

Many affected plugins have created a patch or converted to an earlier version. So, before you use a plugin on your WordPress.org website, you should compare all the plugins you use.

What Does This Mean for Website Users?

If you use one of these plugins on your WordPress web page, and the update occurs automatically, your webpage will be infected by this malware attack. The new version leaves the malicious code on your website even after you switch to the patched version of the plugin.

Website protection is a serious concern, but unfortunately, this cybersecurity breach took place because of reused passwords that the hackers placed in the plugins. The attack vector is through the plugin's directory, making it more difficult to block.

The first step is to go to your WordPress administrative user accounts and see if you have any authorized accounts. You'll need to remove any that you find. After removing unauthorized accounts, you'll also need to use anti-malware removal software to get any issues removed from your page.

Can a Web Application Firewall (WAF) Block the Infection?

Most times, a Web Application Firewall (WAF) can stop malware on its track and provide outstanding website protection. The WebPress.org supply chain attack happened to its plugins, and the WAF doesn't offer website protection from the plugins.

This cybersecurity attack was not a common HTTP attack, which a WAF would have blocked. If you have one of these plugins and they were updated to the infected version, your website probably has unauthorized administrative users and malware that can affect the footers on your website.

What Can You Do to Protect Your WordPress Website From Malicious Code?

Website protection is essential for your WordPress.org website. However, there are some definitive steps you need to take to constantly put cybersecurity first, including:

  • Regular Scanning: Schedule regular scans of your WordPress site with Quttera to promptly detect new threats or infections.
  • Secure Backups: Maintain regular, secure backups of your website. This ensures you can quickly restore a clean version of your site if necessary.
  • Least Privilege Principle: Ensure that your WordPress user accounts follow the principle of least privilege. Limit admin access to only those who need it.
  • Plugin and Theme Management: Use only trusted plugins and themes from reputable sources. It is also important to regularly audit and remove any plugins or themes that you do not actively use or maintain.
  • Security Plugins: Install and configure security plugins such as Quttera Web Malware Scanner.
  • Stay Informed: Subscribing to security blogs and forums related to WordPress and cybersecurity will keep you updated on the latest security threats and vulnerabilities.
  • Educate Your Team: Educate all users with access to your WordPress site about security best practices and the importance of keeping their systems secure.
  • When you make these steps part of your best practices, you'll be able to better protect your website from any malicious code infections.

Use ThreatSign! to Notify You When Your Website Is Under Attack

It's time to take charge of your cybersecurity and protect your webpage from hacking. It might be your blog on WordPress or a more active website through a different hosting service. Either way, you need to know that your work and information are protected from malware. ThreatSign! can be your reliable partner in website protection. Contact us now to learn more.