- Security researchers discover more than 5,000 websites containing malicious code
- Malware installs plugin that steals login credentials and sensitive data
- Researchers recommended a number of mitigation measures
Thousands of WordPress websites have been observed running malware capable of creating a malicious administrator account and exfiltrating sensitive data via malicious plugins.
A new report from security researcher Himanshu Anand of c/side claims that at least 5,000 WordPress websites host a malicious script that creates an unauthorized administrator account with a username and password that can be found in the code.
After creating the account, the script will download a malicious WordPress plugin and execute it. The plugin, which has not been named, is responsible for exfiltrating sensitive data to a remote server. The extracted data includes administrator credentials and operation statuses, it was added.
How to defend
Researchers could not determine exactly how the malicious code ended up on these websites.
“So far we have not identified a common denominator and our investigation is ongoing,” Anand said.
People wanting to check whether their website is secure or not should visit one of these websites, the researcher advised:
-PublicWWW.com
-URLScan.io
To defend against attacks, c/side recommends blocking the domain https://wp3[.]xyz in firewalls or security tools, auditing WordPress admin accounts for unauthorized users, removing suspicious plugins and validating existing ones, strengthening CSRF protections, and implementing multi-factor authentication (MFA). Ultimately, they also recommend using c/side’s services.
Being the most popular website builder on the planet, WordPress is constantly targeted by bad actors. However, as the platform is secure for the publishing part, attackers focus on third-party plugins and themes, especially those that are free to use, which often do not have the appropriate software support.
As a general rule, businesses should only use plugins and themes from reputable sources with a strong supporting community. They should also make sure to uninstall any plugins they don’t use and keep others up to date.
