Malicious WordPress plugin installed backdoor on thousands of websites

Hackers have used a WordPress plugin to install backdoors on up to 200,000 websites, allowng spam to be uploaded onto unsuspecting websites.

According to research carried out by IT security firm WordFence, the plugin, known as Display Widgets, should be removed immediately by website owners. The firm said that the last three releases of the plugin have contained code that allows the author to publish any content on an affected site.

"The authors of this plugin have been using the backdoor to publish spam content to sites running their plugin. During the past three months the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times," said Mark Maunder, CEO of WordFence.

Maunder said that the plugin was originally developed by its original author as an open-source plugin but was then sold to others on 21 June. An updated version, 2.6.0 was released by its new owner immediately. WordFence was informed by David Law, a UK based SEO consultant, that the widget had begin installing additional code and then started downloading data from Law's on server.

On 23 June, WordFence removed Display Widget, and a week later, the new owner released version 2.6.1 of the plugin. This release contained a file called geolocation.php which, no one realised at the time, contained malicious code. This code allowed the plugin author to post new content to any website running the plugin, to a URL of their choosing.

"Furthermore, the malicious code prevented any logged-in user from seeing the content. In other words, site owners would not see the malicious content. David Law again contacted the plugin team and let them know that the plugin is logging visits to each website to an external server, which has privacy implications," said Maunder.

On 1 July, the plugin was pulled from the WordPress repository, but then followed by version 2.6.2 on 6 July. Again, included the malicious code referenced above which had still gone unnoticed by anyone.

It was on 23 July when a user, by the name of Calvin Ngan opened a Trac ticket reporting that Display Widgets was injecting spammy content into his website. He included a link to Google results that had indexed the spam and said the malicious code is in geolocation.php.

In September, version 2.6.3 of the plugin was released and it included the same malicious code. Last week, a forum user on WordPress.org reported that spam has been injected into their website on the Display Widgets plugin support forum.

"The authors of the plugin are actively maintaining their malicious code, switching between sources for spam and working to obfuscate (hide) the domain they are fetching spam from," said Maunder.

The widget was removed permanentely on 8 September, but Maunder tracked down the plugin's new buyer to a service called WP Devs, which buys old and abandoned plugins.

His investigations found that the company appears to be run by one person in the US and possibly another in Eastern Europe, judging by linguistic errors made by the poster.

Maunder said that people in the WordPress community should not "start any witch hunts".

"Occasionally plugins change ownership and very rarely, that doesn't go well. That appears to be what happened in this case," he said.