WordPress sites are being backdoored with rogue admin users

Lock up your WordPress – a recent malvertising campaign targeting vulnerable plugins is now trying to backdoor sites by creating rogue admin accounts.

In July when web firewall company WordFence (aka Defiant) first noticed the campaign, it was attempting to hijack sites to push popup ads, tech support scams and malicious Android apps.

Plugins targeted included vulnerable versions of Coming Soon Page & Maintenance Mode, which followed attacks in April and May on the Yellow Pencil Visual CSS Style Editor and Blog Designer.

Six weeks on, perhaps encouraged by the number of vulnerable sites they found, the attackers have upgraded their attacks to take complete control of sites vulnerable to their attacks.

A new vulnerable plugin, Bold Page Builder, has also been added to the exploitation list, which attackers reportedly started targeting on 22 August.

Rogue one

Anyone with a vulnerable plugin is now at risk of having their site backdoored by a rogue user account with administrator privileges. As before, the attackers attempt to infect vulnerable sites with malicious JavaScript code that’s run whenever a user visits an affected page.

The moment of weakness occurs if the user:

1. Has previously visited an infected page
2. Is a WordPress administrator on the infected site
3. Is currently logged in to the site

If these conditions are met the code silently abuses the logged-in administrator’s ability to create new users, issuing an AJAX request to create a rogue administrator account named wpservices.

What could the attackers do with the access this rogue account gives them?

Pretty much anything they want.

What to do

The takeaway from this is that WordPress plugins represent a major security headache for site owners and need to be updated quickly, as soon as new software becomes available.

WordPress is such a popular platform that all WordPress site operators should assume that their sites are the subject of constant scans, probes and automated hacking attempts.

This is just one campaign, so while it’s important to ensure you’re not vulnerable to it, not being vulnerable to this one campaign isn’t enough by itself to keep your WordPress site safe.

In recent months, we’ve reported on a raft of plugins being targeted by hackers, including Easy WP SMTP, Abandoned Cart for WooCommerce, and WP GDPR Compliance. It’s a trend that shows no sign of ebbing.

Campaigns like this work by exploiting known vulnerabilities in WordPress plugins and, as ever, prevention is better than cure. So, make sure your WordPress software is set up to update itself automatically with security fixes, and check regularly to ensure your plugins are up to date too.

You might want to read Naked Security’s guide on how to avoid being one of the “73%” of WordPress sites vulnerable to attack too.

If you’re concerned that you might have been a victim of this campaign, WordFence have published a list of vulnerable plugins and Indicators of Compromise (IOCs).

As already noted, the giveaways for the latest attack are currently the user wpservices using the email wpservices@yandex.com. The attackers can change this at their leisure, of course.

Recovering a compromised site is beyond the scope of this article but if you find yourself needing to do it you’ll wish you had full, regular, off-site backups. If you don’t have that set up for your site, do it now, before you need it!