We will explain actual cases of WordPress plug-ins becoming malware due to acquisition by another company or hijacking of wordpress.org accounts, and how to prevent this from happening in advance.
Can plugins distributed from the official WordPress website contain malware?
Plugins distributed from the official WordPress website are open source, meaning that their code is available to technicians from all over the world, and they are constantly checked for malware by volunteer private developers, security companies, and WordPress operators.
For this reason, although it is rare, there have been several cases where plug-ins (including updates) distributed from the official site have been infected with malware and have been distributed.
1 Display Widgets malware contamination case 2017
Display Widgets was a popular plugin used by about 200,000 sites, but the developer sold the plugin to a third party for $15,000.
With the subsequent v2.6.0 release, malware was introduced by that third party, and numerous sites that updated to this version or installed Display Widgets were affected by the malware. (According to one theory, tens of thousands of sites).
The timeline of this incident is as follows
May 19, 2017.
Former developer sells plugin to third party (under the name Mason Soiza) for $15,000
June 21, 2017
New owner releases first update v2.6.0. Malware code is secretly inserted at this point.
June 22, 2017
SEO consultant David Cameron Law discovers an anomaly in v2.6.0; reports to WordPress.org that it is downloading over 38MB of external code and sending user IP addresses, viewed pages, domains, etc. to a third-party server
June 23, 2017.
WordPress.org Removes Plugin from Repository (1st time)
June 30, 2017
Attacker releases v2.6.1, which includes geolocation.php but is “not recognized as malicious code” and allowed to be reposted. New exploit adds ability to hide spam content from view for logged-in users.
July 1, 2017
WordPress.org removed (for the second time)
July 6, 2017
Released v2.6.2, keeping geolocation.php and adding ON/OFF option to “make it look legit”
July 23, 2017
Another user reports spam delivery.
July 24, 2017
WordPress.org removed (for the 3rd time)
September 2, 2017
v2.6.3 is released. Malware is still intact and even bug fixes are made, deemed “clearly intentional maintenance”.
September 8, 2017
WordPress.org permanently removed (4th and final)
As you can see from the history, when a plugin contains malware, it is discovered within 1-20 days, and WordPress officials have stopped distributing that plugin within 20 days even in this weasel-worded case.
This case was the first time ever that a malicious plugin acquirer said it had fixed the problem multiple times, but in fact continued to maliciously introduce malware.
2 Social Warfare Malware Contamination Case 2024
The Social Warfare plugin malware contamination incident was not an acquisition, but a malware contamination incident that occurred when hackers took over the Social Warfare development management screen (plugin upload management and other functions of wordpress.org).
This is said to be a strong possibility, and the investigation is still ongoing.
June 22, 2024.
Malicious code was introduced into Social Warfare, distributed as an automatic update via WordPress.org.
June 22, 2024.
WordPress.org Plugin Review Team Notices Malware in Social Warfare Forum Post
June 22, 2024.
The WordPress.org Plugin Review Team posted on the forum. It announces that “A malicious attacker has hijacked Social Warfare and delivered a version that creates users with admin rights. At the same time, a clean version v4.4.7.3 was released, calling for an immediate update
Also.
June 24, 2024.
Wordfence discovered four additional plugins with similar code: Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and Simply Show Hooks.
The plugins were de-distributed the same day and patched versions were released at a later date.
The discovery and removal of malware in the case of wordpress.org account hijacking is usually completed within a few days.
How to deal with it or what to watch out for
Malware contamination of officially distributed plugins is rare, but it does happen. However, we know that they are quickly discovered and fixed.
For this reason, improving security by updating is still overwhelmingly more beneficial than leaving vulnerable plug-ins unattended.
However, the above incidents indicate that it is safer to observe the following update timing.
1 It is safer to wait a month or so to update a plugin whose name has been changed after the distributor has been acquired.
2 It is safer to wait a week or so for updates from the same developer.
We also recommend that you run a malware scan once after updating plug-ins, etc., as there is a possibility of malware contamination.
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
