-
Hackers planted a backdoor in over 30 EssentialPlugin products after a new owner bought the company in a six-figure deal.
-
The malware hides spam pages and redirects from site owners while showing them only to Googlebot.
-
WordPress pushed a forced update to disable the backdoor, but site owners must manually clean their wp-config.php file.
Hackers have injected malicious code into more than 30 WordPress plugins; this attack affects the EssentialPlugin package, which includes tools for sliders, galleries, marketing, and WooCommerce extensions. Thousands of websites running these plugins may now face unauthorized access.
Security researcher Austin Ginder, founder of Anchor Hosting, discovered the breach after receiving a tip about suspicious code in one add-on. His investigation revealed a backdoor hiding inside all EssentialPlugin products. Malicious code emerged in August 2020 shortly following a highly-publicized six-figure acquisition of the firm.
The backdoor sat inactive for months. Recently, the adversaries took steps to make the malicious code active which allowed them to send software updates to users. Upon receiving an update from the manufacturer, the malicious code communicates with a command-and-control server in order to receive commands.
After receiving the appropriate response from the command-and-control server, the malicious code is capable of creating spam pages; forcing redirects; or creating bait websites that are only visible via search engines such as Google.
How the Malware Hides from Site Owners
The hackers designed the attack to stay invisible. When visitors land on an infected site, they see nothing unusual. But the malware checks each visitor. If the visitor appears to be Googlebot, the malware shows spam pages and fake content. This tricks Google into indexing bad pages while the real site owner never notices anything wrong.
The malware retrieves a duplicate of the ‘wp-comments-post.php’ file with a file name as ‘wp-comments-posts.php.’ The fake file will inject malicious code into a core configuration file (‘wp-config.php’) that links the website to its database thereby becoming impossible to remove even after updating or reinstalling the original plugin.
The attackers’ method of hiding their command server is equally sophisticated; they accomplish this by using Ethereum based addresses for command server resolution making it nearly impossible for any security mechanisms to either block or track these servers.
WordPress Takes Quick Action
WordPress.org responded fast after receiving the reports. The team closed all affected plugins and pushed a forced update to websites running EssentialPlugin products. This update removes the ability of the backdoor to interact with the command server – it disables its main execution path.
However, WordPress warns that this forced update does not clean the wp-config.php file. Site owners must manually check this file and remove any malicious code themselves. The WordPress Plugins Team also cautions that the backdoor may hide in other files besides ‘wp-comments-posts.php’. Site owners should scan their entire installation for any suspicious files.
EssentialPlugins has not released any comment regarding the incident as of publication time. The lack of statement leaves many questions unanswered about how the breach happened, many are wondering whether the new owner knew about the backdoor.
The use of deception in cyberattacks is a common thread, China-linked hackers targeting Qatar used fake war news to spread malware, showing that whether the target is website owners or individuals, attackers rely on trickery and misdirection to achieve their goals.
What Site Owners Must Do Now
If your website runs any EssentialPlugin product, you need to act immediately.
First, check your wp-config.php file for any suspicious code, especially anything related to ‘wp-comments-posts.php’. Remove any lines that do not belong there.
Second, scan your WordPress installation for unknown files. Pay special attention to files with names that look similar to legitimate WordPress files. The attackers used a name that closely mimics a real file – so look carefully.
Finally, change all admin passwords and review user accounts for any unauthorized additions, even after cleaning the malware, hackers may have left other backdoors.
Security experts recommend installing a WordPress security plugin, this move will help to monitor for future attacks. This breach affects hundreds of thousands of sites, that means you can assume you are safe just because you have not seen any visible problems.
