WordPress Supply Chain Attacks: An Emerging Threat
In the last few months, we have discovered a number of supply chain attacks targeting WordPress plugins. In this post, we explain what a supply chain attack is, why WordPress is an attractive target for them, and what you can do to protect your site.
What Is a Supply Chain Attack?
In the software industry, a supply chain attack exploits a trusted relationship between software vendors or authors and their customers. For WordPress, that means figuring out how to embed malware into software updates. In one case, we saw an existing plugin author install malware on customer sites in an effort to monetize an existing plugin. In every other case we have uncovered, the attack was carried out by someone who had purchased the plugin with the express intention of attacking its users.
Here are the WordPress supply chain attacks we have recently uncovered:
- In late December we discovered backdoors installed in three plugins after they were purchased: Duplicate Page and Post, No Follow All External Links and WP No External Links. (Bleeping Computer coverage)
- In mid December we discovered a backdoor in a Captcha plugin after its purchase. This plugin was active on over 300,000 websites.
- In early November we discovered a plugin that was mining for Monero cryptocurrency using site visitors’ CPU resources.
- In September we uncovered a 4.5 year spam campaign impacting nine plugins, which we covered in a series of posts.
These attacks work because, as a site owner, you have already made the decision to trust the software vendor or author. In many cases, you may have gone so far as to enable automatic updates for the plugin, allowing the author turned attacker to push malware to your website any time they want.
Why Is WordPress a Target?
WordPress is an attractive target for supply chain attacks for a number of reasons.
The first reason is simply scale. According to w3techs, WordPress powers 29.2% of all websites – a massive user base to go after. In addition, at the time of this writing there were 53,566 plugins available for download in the official WordPress.org plugin repository. That is a lot to work with on both fronts.
Secondly, the WordPress.org plugin directory is an open, community-driven resource. According to the plugin guidelines page, “It is the sole responsibility of plugin developers to ensure all files within their plugins comply with the guidelines.” This means that while there is a small team tasked with managing the plugin repository and another small team focused on security, ultimately users rely on plugin developers to keep them safe.
Thirdly, most WordPress sites are managed pretty casually. Making a change to a website at a larger company might include code review, testing and a formal change control process. But that’s probably not happening consistently, if at all, on most smaller websites. In addition, many site owners don’t monitor their WordPress sites closely, which means malware can often remain in place for many months without being discovered.
Lastly, the WordPress plugin repository has a huge number of abandoned plugins. When we looked back in May, almost half of the available plugins hadn’t been updated in over two years. This represents a great opportunity for ne’er do wells looking to con unsuspecting plugin authors into selling something they created years ago and have moved on from.
Why Do WordPress Plugin Authors Sell Their Plugins?
The large majority of plugins in the repository are completely free to use, meaning there aren’t any premium features available for purchase. While that is generally a very positive thing for the WordPress community, the reality is that all the people behind those free plugins still need to make a living. If they aren’t making money from the plugin they created, they often lose interest in it or abandon it altogether.
When someone approaches them offering money for their plugin, it may be hard to pass up. And the plugin author may think it’s a perfectly innocent offer, because it’s not like the supply chain attacker announced their bad intentions. On the contrary: in the purchase solicitations we have seen, they often come across as someone wanting to help.
This is an excerpt from a solicitation to purchase a plugin that we saw earlier in 2017:
I am wondering if me and my team would be able to purchase this plugin from you and then take over the complete development of it and push out a new update to make it work better with the latest wordpress.
We will also put our admin team onto the support forum and make sure the users are happy and if there are any features they are specifically asking for we will get them added in to the next update.
As a plugin author who created something that thousands of people are using, what a wonderful opportunity! This nice person is offering to not only pick up where you left off with something you cared enough to build, but they’re willing to give you money for it as well.
How to Protect Your Websites
Fortunately, you can protect your website against these attacks with a number of effective tactics.
- Screen plugins and themes very carefully. Every time you install a plugin or theme, you are allowing a new person’s code to run on your site. In general, the more established and active the author, the better.
- Scan your site for malware regularly. We recommend enabling scheduled scans by both Wordfence and Gravityscan. Both include a free scheduled scan option.
- Check your site and IP address against blacklists regularly. Gravityscan checks over 20 of them for free.
- Exercise great caution when the WordPress.org repository removes or “closes” one of your installed plugins, or when it changes hands. Wordfence alerts you when a plugin has been removed from the repo for any reason.
- Consider removing or replacing abandoned plugins. Authors of these plugins are the most likely to sell them. Wordfence alerts you when a plugin hasn’t been updated in 2 years.
- Keep an eye on our blog. We will continue to share information about plugins that have been compromised as we discover them in our research.
Unfortunately, we believe that these types of attacks on the WordPress ecosystem are going to grow in popularity. Attackers will also very likely employ new and creative tactics that we can’t foresee in the new year.
As a site owner, you will need to apply extra scrutiny to every plugin and theme you add to your website while keeping your eyes open for anything odd that crops up to stay vigilant against any such potential attacks in the future.
It seems that Wordpress should step in and moderate sales to another developer of Wordpress repository plugins and themes. Drupal has a tight leash on their repositories, so should Wordpress.
It's an easy fix, too: If a plugin is going to change ownership, to remain in the WordPress repository, the transaction should be processed by WordPress (Atomic). They can take a small fee off the top of the transaction to account for processing cost, and should remain otherwise neutral in the transaction, except perhaps for vetting the buyer.
That would make it enormously difficult for bad actors to gain control of repository plugins, with minimal burden to sellers.
JIm - I like that idea. Maintaining some common database of these purchase transactions and collateral information would help identify patterns to help "fingerprint" malevolent actors and (minimally) to impede them somewhat or (optimally) be able to provide criminal evidence against them. Also, since some mal-actors are building plugin stables. If WordPress can identify the stable a bad plugin resides in, they might be able to take broader action.
The problem to solve is volunteers and/or funding. A small commission might help. Better still, if a reputable security-related company could sponsor and/or or take responsibility for this, it should help their marketing, their reputation and, potentially, provide a useful stream of information for their business.
Just my early morning idea... If a Plugin was "Authenticated" or "Trusted" by WordFence to be safe and worthy of displaying the WordFence Logo in the Plugin Settings/Home page I for one would pick that plugin over another. I would also be happy to pay (or donate as we do) a fee.
Thanks for the nice work!
As a matter of interest: in the above cases, what sort of money did the plugin owner get? Did the cooperative previous owners give an indication? Is this basically a low-budget & fast way to buy into the system?
Hi Mike, for the instances where we've gotten that information I believe lowest price was $600 and the highest was $15,000.
Interesting - so basically for less than 50 cents (or much,much less) per install, the attacker is nesting himself on the server to do what he wants within a short time. And even if half of the installed base remove the plugin, the attacker still bought himself a cheap vector ...
it's sad to read
Can those who have a free WordPress site download the Wordfence plugin?
WordPress.com sites can only install custom plugins if you're on the Business pricing plan.
Thank you for the interesting and informative updates and posts.
In cases like this where malicious code is intentionally distributed is legal action taken?
Hi Martin, I can't speak to what the team at WordPress.org might be doing in this regard, but we do provide information to law enforcement from time to time when it makes sense. We don't publicize the details for obvious reasons.
WOW! Thank you for the update. If you can recommend "Gravityscan" to us, what system do you utilize within your research that might be beneficial to incorporate as part of a Wordfence update to keep these emerging threats at bay? Nevermind, I see now that "Gravityscan" is your own Wordfence plugin with both a free and a monthly paid subscription.
Thank you! We installed this scan, too! Lost count on how many Russian bots been trying to access our site. We quickly installed Wordfence and no more access!
Once again you guys are on the ball. I personally follow Wordfence blog and updates each day thanks guys.
Just a thought: why is it a 2 yr none update re plugins not updated? Surely it could be shorter like 6 months not updated and lets us make the decision to use it or not.
Also it would be great if Wordfence could add in your plugin a section that shows us if a plugin on our sites has changed owner/website links in ownership files of the plugin like an alert via email that would help us even more.
Thanks for great work you guys do, I don't know what we would all do with you.
Great article, and it is inspiring to see how many excellent ideas and possible solutions were generated in the comments.
I just got an email from a plugin owner I use on multiple sites saying they are selling the plugin for exactly the reasons you outlined in the article. Before, I would not have given this news a second thought. Now I need to pay more attention and possibly do some research on the new owner.
Does this backdoor stuff apply to the free plugins as well as the purchased?
Hi Norine, so far we've only uncovered supply chain attacks that impact free plugins.
If I am using a plugin on my site, is there a notification that goes out when a plugin is removed from the repository or otherwise "closed?"
Wordfence scans alert you to both! You can also tell by going to the plugin's page in the repository.
I just received a WordFence alert about Shareaholic plugin being removed from WordPress.org this am. I can't find any reference to this anywhere else - do you know what the current status is?
We'll be happy to look into it. It might have been a very temporary removal, since it's back in the repo now. Unfortunately we're unable to offer customer support via blog comments, so if you're a Premium customer, please feel free to send in a premium support ticket via your plugin dashboard, and if you're a free user, we'll be happy to help in the support forums. Thanks!