10 Wordpress Plugins & Companies with Security Vulnerabilities Discovered

Ryuzaki

お前はもう死んでいる
Moderator
BuSo Pro
Digital Strategist
Joined
Sep 3, 2014
Messages
6,244
Likes
13,130
Degree
9
Before I even start, let me drop some advice:
  • Don't use random plugins from random developers
  • Stick to big ones like Yoast, AdvancedCustomFields, WP Super Cache, etc. Ones where livelihoods depend on them being correct, with long running histories and great reputations.
  • Always log into your sites and update your plugins (and themes, this goes for those too).
  • The less plugins, the safer you are.
  • Always be taking rolling backups and keep like 4-5 of those so you can revert to one if needed.
We've had people on this forum come and say "I wish I had listened." Listen!

10+ Wordpress Plugins with Vulnerabilities Just Discovered
Here's the skinny. WordFence had found a hacker group that was doing this Malware Advertising campaign through specific plugins. Some people listened, some didn't, some didn't hear about it. That same group never stopped according to ZDNet, who says they're getting into your site through specific plugins and creating an admin account.

What Happens?
They use these plugins to plant some javascript or something to detect when you log into your own site, then they use your own administrative privileges to create a new admin account called wpservices with the email address wpservices@yandex.com. Then they can do whatever the hell they want from inside the site's Wordpress dashboard.

Which Plugins?
  • Coming Soon Page & Maintenance Mode
  • Yellow Pencil Visual CSS Style Editor
  • Blog Designer
  • Bold Page Builder
  • Live Chat with Facebook Messenger
  • Yuzo Related Posts
  • WP Live Chat Support
  • Form Lightbox
  • Hybrid Composer
  • All former NicDark plugins
The Coming Soon Page & Maintenance Mode one is a huge offender and was guilty in the last round. If you're using it, update it and get rid of it if you can.

Word on the street is these are older problems that have already been fixed, so they're scanning sites to see who has these plugins and hasn't updated them. That's why it's important to update your plugins all the time, because as soon as a vulnerability is outted, the plugin developers fix them. Then it's a race between you and the hackers to see who gets to your site first.
 
Good post.

I will read through this post and see how I can improve on my sites security. I think I'm using some old plugins that haven't been updated for well over a year. Time to hit the delete button on those, I guess.

If someone have other good sources on how protect your WP-site, I think this could be a good topic to share it.

By the way, I am using Wordpress 2-Step Verification by as247. It was updated 10 months ago, but from what I understand it's simple code in this plugin. When using it, I have 2-step vertification through phone or email. It makes me feel as if my sites are in a bank vault.

Am I wrong for using this plugin, or does it serve its purpose?

*EDIT*

Oh snap, I just saw that Wordfence has this feature for free now.
 
Back