Over 6,000 WordPress Sites Hacked Through Malicious Plugins from WordPress Plugins Marketplace

WordPress Plugins Marketplace Cover

WordPress’ flexibility, scalability, and vast WordPress plugins marketplace have made it a leading platform for website creation. However, cybercriminals have also targeted it, exploiting vulnerabilities in WordPress plugins to inject malicious software. Recently, over 6,000 WordPress sites were compromised in a new threat actor-led campaign, installing fake plugins that spread malware designed to steal personal information.

These plugins deceive users into downloading malware that steals sensitive data, such as login credentials and personal information, by displaying phony software updates and errors. Over the past year, malicious campaigns like ClearFake and ClickFix have become more common, contributing to this concerning trend. These initiatives indicate an increasing threat to website security and underscore the necessity for WordPress site owners to keep cautious.

The Rise of Info-Stealing Malware in WordPress Sites

Malware that steals information has grown to be a major worry for security experts everywhere. Credential theft from websites frequently results in other breaches, giving bad actors access to networks, private information, and money. Since 2023, ClearFake has been a significant campaign targeting WordPress websites, delivering false web browser update banners to unsuspecting users, prompting them to download malware.

In 2024, the ClickFix campaign emerged, utilizing a similar approach. Instead of browser updates, ClickFix displays fake software error messages that appear to offer “fixes” for problems. However, these fixes are actually PowerShell scripts that install malware designed to steal information from the user’s system. Fake banners from this campaign have been seen in Google Chrome, Facebook, Google Meet, and even captcha pages, making it difficult for users to differentiate between legitimate and malicious alerts.

How Cybercriminals Use Malicious WordPress Plugins

Because WordPress plugins are so widely used in website maintenance, cybercriminals target them. Plugins are essential to WordPress because they let users add more functionality to their sites. Popular WordPress plugins for e-commerce and SEO demonstrate how plugins can assist with anything from e-commerce functionality to SEO optimization.

But in ClearFake and ClickFix, threat actors insert malicious JavaScript into the HTML code of the website by using phony WordPress plugins. To trick website admins, these plugins may pose as trustworthy programs like Wordfence Security and LiteSpeed Cache or use fictitious, generic names. After installation, users are prompted to install malware by the malicious plugin, which uses WordPress activities to load malicious scripts that display the phony banners.

Recent Attack Campaigns and Malicious Plugin List

 

In recent months, more than 6,000 WordPress websites have been infiltrated by the ClearFake/ClickFix attacks, according to GoDaddy. Using admin credentials they have obtained, the hackers access WordPress websites and install harmful plugins without the site owner’s knowledge. These invasions are highly automated, in contrast to normal attacks. Bypassing the website’s login page and logging in with a single POST HTTP request, attackers can quickly install the malicious plugin.

WordPress Plugins Marketplace body

Injected JavaScript script
Source: GoDaddy

Among the malicious plugins utilized in these campaigns are variants of well-known WordPress plugins, including:

These plugins, along with others, appear harmless at first glance but contain embedded malicious scripts that push malware to site visitors. Once installed, they attempt to load additional malicious JavaScript files stored on external networks, like Binance Smart Chain (BSC) smart contracts, which then distribute malware like ClearFake or ClickFix.

Detecting and Removing Malicious Plugins

For WordPress site owners, one of the most effective ways to detect these malicious plugins is by regularly auditing the WordPress plugins list and monitoring for unusual activity. WordPress plugins not showing in the admin dashboard, or changes to the WordPress plugins folder, can be red flags. Using a WordPress plugins detector can help identify suspicious activity or plugins that were not manually installed by the site owner.

If your WordPress site has been compromised, you should:

  1. Check installed plugins: If there are any plugins you don’t recognize, immediately disable and delete them. Refer to your WordPress plugins marketplace or trusted sources before installing any new plugins.
  2. Change passwords: To make sure that no illegal access persists, reset the passwords for every admin user. Think about creating strong, one-of-a-kind passwords for every user.
  3. Use WordPress plugins for security: Numerous security plugins, such as Wordfence Security, are available to help identify and stop malicious activity on your website. Ensure that the plugins you use are current and originate from reliable sources.
  4. Backup regularly: If your site is compromised, regular backups can guarantee that you can promptly return it to its original state.

Securing WordPress Plugins and Themes

It’s crucial to make sure that your WordPress plugins and themes are always up to date in addition to monitoring and auditing plugins. Older plugins or themes with known vulnerabilities are often the target of attacks. By frequently updating, you lessen the risks of falling prey to malware campaigns.

Developers should also consider following best practices for WordPress plugins development to ensure their plugins remain secure. By preventing hackers from inserting dangerous code into well-known plugins, a secure development process can strengthen WordPress websites’ defenses against these kinds of assaults.


Conclusion

The need of upholding strict security procedures is underscored by the recent efforts that compromised more than 6,000 WordPress websites. Owners of WordPress websites need to be on the lookout for any harmful software that has been installed without their permission by keeping an eye on their list of plugins. Take quick action if you see anything odd, such WordPress plugins not appearing in the dashboard or strange plugins in the WordPress plugins folder.

You can protect your website from these constantly changing risks by putting robust security plugins in place and using tools like a WordPress plugins scanner. It is more important than ever to secure your WordPress website in an era where spyware that steals information is becoming more prevalent.

Read More :

Scroll to Top