Register

The Most Active and Friendliest
Affiliate Marketing Community Online!

Register
“Adavice”/  “CPA

30 plugin exploits to backdoor WordPress sites

Graybeard

Graybeard

Well-Known Member
The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.

The targeted plugins and themes are the following:

www.bleepingcomputer.com

New Linux malware uses 30 plugin exploits to backdoor WordPress sites

A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript.
www.bleepingcomputer.com www.bleepingcomputer.com
 
Graybeard said:
The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.

The targeted plugins and themes are the following:

www.bleepingcomputer.com

New Linux malware uses 30 plugin exploits to backdoor WordPress sites

A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript.
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...

This has been going on for many years. As soon as WP was launched, these practices began.
 
This is just one of the many reasons not to use WP for affiliate marketing (et al). In the long run, a properly coded site with the appropriate addons on the server is cheaper to manage and protect, albeit a little more money at the onset.

I like the idea of WP for various projects, and used it on some from 2004 until 2012, but in the end I had to stop using it due to the constant attacks, platform/plugin conflicts, and the various frontend and backend restrictions.

I really think that in the end, as we see, read, and hear from here and elsewhere, that the majority of the users are looking for something quick and easy. In the end they learn it was never that, can't be that, and they need somone to come in and do the work they either don't have the skills to do, don't want to learn those skills, or need the platform to do more than it was intended for.
 
T J Tutor said:
quick and easy
Click to expand...
At first glance WP seems to be the ticket.
WP is really very high maintenance
  • Daily backups and you need to prune it to the past few days.
  • Frequent or auto-updates of the core.
  • Open FTP ports and vulnerabilities.
  • Serious limitations in back-end code --all CMS platforms really --they are convenient until they are not.
  • Plug-in hell
 
Graybeard said:
At first glance WP seems to be the ticket.
WP is really very high maintenance
  • Daily backups and you need to prune it to the past few days.
  • Frequent or auto-updates of the core.
  • Open FTP ports and vulnerabilities.
  • Serious limitations in back-end code --all CMS platforms really --they are convenient until they are not.
  • Plug-in hell
Click to expand...

Great shortlist.

We see this with so many other "ready made" stuff. Great ideas, wonderful prospects, but just to many vulnerabilities, limitations, and excessive maintenance. The classic love/hate relationship.

For now, I'll stick with my dev guys and "from scratch" developed sites. It's cheaper, more secure, and profitable long term for me, and I always believe for others as well.
 
Last edited:
Here's a new one
All In One SEO (AIOSEO) plugin, which has over three million active installations, is vulnerable to two Cross-site scripting (XSS) attacks.
 
I remember when that plugin came out. I tested it and did a comparison with Yoast. I found Yoast more in line with my needs at the time. I'm sure that many of these plugins have security issues that either go unnoticed or unreported.
 
BlacklightTwin said:
Is there any reliable way to defend against such attacks other than not using them?
Click to expand...

Hire a security professional on FIVVR or Freelancer and have them check your site for vulnerabilities a few times a year. Once you have a well established business model you'll likely have a few different part time developers for various needs.

There are some free tools out there to get you started and to help you understand the risks out there and some of the solutions. Just search for Free Site Security Scan.
 
87% of Container Images in Production Have Critical or High-Severity Vulnerabilities
Docker etc ...
www.darkreading.com

87% of Container Images in Production Have Critical or High-Severity Vulnerabilities

At the inaugural CloudNativeSecurityCon, DevSecOps practitioners discussed how to shore up the software supply chain.
www.darkreading.com www.darkreading.com

Looking for an easy solution?
rolls-eyes-emoji80.gif
 
Graybeard said:
87% of Container Images in Production Have Critical or High-Severity Vulnerabilities
Docker etc ...
www.darkreading.com

87% of Container Images in Production Have Critical or High-Severity Vulnerabilities

At the inaugural CloudNativeSecurityCon, DevSecOps practitioners discussed how to shore up the software supply chain.
www.darkreading.com www.darkreading.com

Looking for an easy solution?
View attachment 29308
Click to expand...

That is mostly due to placing the applications and image containers in the cloud. Most of those vulnerabilities reported are cloud vulnerabilities that can be mitigated with proper updates in a timely manner. Most of the updates available for cloud vulnerabilities are scheduled quarterly rather than immediate. This has long been an issue in companies going back many decades.
 
You ever run a docker image and looked at what is inside? The images include the dependencies used.

npm still has images that the install shows as with critical vulnerabilities.

cloud containers explained at DuckDuckGo

DuckDuckGo. Privacy, Simplified.
duckduckgo.com duckduckgo.com

You 'should ' be able to update the applications' dependencies independently.
 
Updates are dependent on the maintainer of the container you install. If you do not build your own container.

The container updates the whole container to the current one when it is loaded or reloaded.
So, if the maintainer (read:distributor) of that container does not update it you can be running software that is not secure)

Same problem with WordPress plugins. They need to be maintained and updated.

PDO is the only secure way to use PHP with MySQL Hard to work with though ...

PHP: 
//boards/aff_fix/AIOSEO/wordpress/wp-includes/class-wpdb.php
        // Use the `mysqli` extension if it exists unless `WP_USE_EXT_MYSQL` is defined as true.
        if ( function_exists( 'mysqli_connect' ) ) {
            $this->use_mysqli = true;

            if ( defined( 'WP_USE_EXT_MYSQL' ) ) {
                $this->use_mysqli = ! WP_USE_EXT_MYSQL;
            }
        }

mysqli is not that secure
 

Similar threads

A
What is The Best CRM for a WordPress WebSite?
Replies
10
Views
3K
charlotte_etw
charlotte_etw
Graybeard
Vulnerability > WordPress GDPR Compliance plugin
Replies
0
Views
3K
Graybeard
Graybeard
DigiMLabs
Squarespace vs Wordpress - What will you choose?
Replies
12
Views
8K
Gamerseo
Gamerseo
mcoban
Is SEO Tools like SEO Power Suite, SeNuke Worth It?
Replies
4
Views
4K
moypoisk.seo
moypoisk.seo
AffiliateFix
  • Locked
  • Sticky
Official How To Get Your Resource Listed
Replies
0
Views
5K
AffiliateFix
AffiliateFix
banners
Back