In the last few months, we have discovered a number of supply chain attacks targeting WordPress plugins. In this post, we explain what a supply chain attack is, why WordPress is an attractive target for them, and what you can do to protect your site.
What Is a Supply Chain Attack?
In the software industry, a supply chain attack exploits a trusted relationship between software vendors or authors and their customers. For WordPress, that means figuring out how to embed malware into software updates. In one case, we saw an existing plugin author install malware on customer sites in an effort to monetize an existing plugin. In every other case we have uncovered, the attack was carried out by someone who had purchased the plugin with the express intention of attacking its users.
Here are the WordPress supply chain attacks we have recently uncovered:
These attacks work because, as a site owner, you have already made the decision to trust the software vendor or author. In many cases, you may have gone so far as to enable automatic updates for the plugin, allowing the author turned attacker to push malware to your website any time they want.
Why Is WordPress a Target?
WordPress is an attractive target for supply chain attacks for a number of reasons.
The first reason is simply scale. According to w3techs, WordPress powers 29.2% of all websites – a massive user base to go after. In addition, at the time of this writing there were 53,566 plugins available for download in the official WordPress.org plugin repository. That is a lot to work with on both fronts.
Secondly, the WordPress.org plugin directory is an open, community-driven resource. According to the plugin guidelines page, “It is the sole responsibility of plugin developers to ensure all files within their plugins comply with the guidelines.” This means that while there is a small team tasked with managing the plugin repository and another small team focused on security, ultimately users rely on plugin developers to keep them safe.
Thirdly, most WordPress sites are managed pretty casually. Making a change to a website at a larger company might include code review, testing and a formal change control process. But that’s probably not happening consistently, if at all, on most smaller websites. In addition, many site owners don’t monitor their WordPress sites closely, which means malware can often remain in place for many months without being discovered.
Lastly, the WordPress plugin repository has a huge number of abandoned plugins. When we looked back in May, almost half of the available plugins hadn’t been updated in over two years. This represents a great opportunity for ne’er do wells looking to con unsuspecting plugin authors into selling something they created years ago and have moved on from.
Why Do WordPress Plugin Authors Sell Their Plugins?
The large majority of plugins in the repository are completely free to use, meaning there aren’t any premium features available for purchase. While that is generally a very positive thing for the WordPress community, the reality is that all the people behind those free plugins still need to make a living. If they aren’t making money from the plugin they created, they often lose interest in it or abandon it altogether.
When someone approaches them offering money for their plugin, it may be hard to pass up. And the plugin author may think it’s a perfectly innocent offer, because it’s not like the supply chain attacker announced their bad intentions. On the contrary: in the purchase solicitations we have seen, they often come across as someone wanting to help.
This is an excerpt from a solicitation to purchase a plugin that we saw earlier in 2017:
I am wondering if me and my team would be able to purchase this plugin from you and then take over the complete development of it and push out a new update to make it work better with the latest wordpress.
We will also put our admin team onto the support forum and make sure the users are happy and if there are any features they are specifically asking for we will get them added in to the next update.
As a plugin author who created something that thousands of people are using, what a wonderful opportunity! This nice person is offering to not only pick up where you left off with something you cared enough to build, but they’re willing to give you money for it as well.
How to Protect Your Websites
Fortunately, you can protect your website against these attacks with a number of effective tactics.
- Screen plugins and themes very carefully. Every time you install a plugin or theme, you are allowing a new person’s code to run on your site. In general, the more established and active the author, the better.
- Scan your site for malware regularly. We recommend enabling scheduled scans by both Wordfence and Gravityscan. Both include a free scheduled scan option.
- Check your site and IP address against blacklists regularly. Gravityscan checks over 20 of them for free.
- Exercise great caution when the WordPress.org repository removes or “closes” one of your installed plugins, or when it changes hands. Wordfence alerts you when a plugin has been removed from the repo for any reason.
- Consider removing or replacing abandoned plugins. Authors of these plugins are the most likely to sell them. Wordfence alerts you when a plugin hasn’t been updated in 2 years.
- Keep an eye on our blog. We will continue to share information about plugins that have been compromised as we discover them in our research.
Unfortunately, we believe that these types of attacks on the WordPress ecosystem are going to grow in popularity. Attackers will also very likely employ new and creative tactics that we can’t foresee in the new year.
As a site owner, you will need to apply extra scrutiny to every plugin and theme you add to your website while keeping your eyes open for anything odd that crops up to stay vigilant against any such potential attacks in the future.