Hackers have come up with a never-before-seen method of installing backdoored plugins on websites running the open-source WordPress CMS, and this new technique relies on using weakly protected WordPress.com accounts and the Jetpack plugin.
The technique is highly complex, and to compromise a site, a hacker must go through different steps, during which multiple things can prevent the attack from being successful.
Nevertheless, attacks have been happening since May 16, according to report from WordPress site security firm Wordfence and several posts on the official WordPress.org forums from site owners that had their sites hijacked by crooks.
The first step of this attack consists of hackers taking usernames and passwords from public breaches and attempting to log into WordPress.com accounts.
Users who reused passwords across accounts and who did not enable two-factor authentication for their profiles are susceptible to these account take-over attempts.
To be clear, WordPress.com accounts are used to manage professional blogs hosted by Automattic, and are different from both WordPress.org accounts and admin accounts for self-hosted WordPress sites that based on the open-source CMS.
While the WordPress open-source CMS is managed by the WordPress community, lots of Automattic developers contribute to the open-source project and have always had a big influence and close ties to the open-source CMS. This is why, a few years back, Automattic took the analytics plugin used on WordPress.com and released it as an open-source plugin for self-hosted WordPress sites.
In time, this analytics module —named Jetpack— grew with many new features, and is now one of the most popular plugin for WordPress sites.
One of the plugin's features is the ability to connect self-hosted WordPress sites to a WordPress.com account and use the Jetpack panel inside the WordPress.com dashboard to manage tens or thousands of self-hosted WordPress sites via the Jetpack plugin installed on each site.
One of the options Jetpack provides is the ability to install plugins across different sites from the WordPress.com Jetpack dashboard.
The plugin doesn't even have to be hosted or hidden on the official WordPress.org repository, and attackers can easily upload a ZIP file with the malicious code that then gets sent to each site.
According to Wordfence, hackers who've been taking over WordPress.com accounts and finding linked WordPress self-hosted sites have been abusing this remote management feature to deploy backdoored plugins across previously secured sites.
Experts say that attacks started on May 16, with the hackers deploying a plugin named "pluginsamonsters," later switching to another plugin named "wpsmilepack" on May 21.
The number of compromised sites is unknown, and detecting compromised sites is also difficult.
"The plugin is visible on the WordPress.com dashboard but is invisible on the target WordPress site's plugin list when active," the Wordfence team said.
For now, hackers have been using these backdoors to redirect users to spam and tech support scams.
Owners of self-hosted sites that have connected their Jetpack plugin with a WordPress.com account are encouraged to review the plugins they have deployed across self-hosted sites inside the WordPress.com dashboard.
If they find suspicious plugins, they should immediately change their WordPress.com account password, enable two-factor authentication for the account, and initiate site-cleaning procedures.
Wordfence said that the threat actor behind this new site hijacking technique has targeted self-hosted WordPress sites before. In February of this year, they used a technique called "credential stuffing" —using leaked username & password combos— in attempts to guess the credentials of admin accounts and hijacked WordPress self-hosted sites directly at the source.
Image credits: Wordfence, Automattic