Hackers have come up with a different method of installing vulnerable backdoored plugins in websites powered by WordPress. The technique relies on taking advantage of weak Wordpress.com accounts and the JetPack Plugin. The technique is highly complex to compromise a website and a hacker must utilize multiple steps to attack a WordPress website. The attacks started on May 16 from a report released by WordPress Security Firm WordFence.
The First step of this attack consists of the Hackers hijacking usernames and passwords from public data breaches to attempt to log in the WordPress accounts of users. The Users who have reused passwords from different websites and didn’t enable the two-factor authentication for their profiles are easily breachable for take-over attempts. The WordPress.com accounts are used to manage professional blogs hosted by Automattic Services. a few years back, Automattic took the analytics plugin used on WordPress.com and released it as an open-source plugin for self-hosted WordPress sites.
There is an analytics module named Jetpack which is one of the most popular plugins for WordPress Sites. The speciality of this plugin is that it provides the ability to connect a self-hosted WordPress Site to WordPress.com account and use the Jetpack panel inside wordpress.com. JetPack provides an ability to install various plugins across different sites by just using the wordpress.com Jetpack dashboard. The plugin doesn’t even have to be hosted or hidden on the official WordPress.org repository, and criminals can easily upload a ZIP file with the malicious code that then gets sent to each site.
Hackers are taking advantage of this remote management feature to deploy backdoored plugins across previously secured websites. Experts say that attacks started on May 16, with the hackers deploying a plugin named “pluginsamonsters,” later switching to another plugin named “wpsmilepack” on May 21.
“The plugin is visible on the WordPress.com dashboard but is invisible on the target WordPress site’s plugin list when active,” the Wordfence team said. If the bloggers find any suspicious activity they should immediately change the password for their WordPress.com website.
Do you know anyone previously affected by this issue?