The Recent Wordpress Malware Discovery

Intro

This blog explores how a compromised app download and several vulnerable WordPress sites turned devices into puppets for hackers. By understanding the risks involved and how hackers exploited these vulnerabilities, you can protect your website and data more effectively.

The Vulnerability of Wordpress Sites

At Kahu Software, we're not big fans of WordPress, even for the simplest websites. It's tempting to install "just one more plugin" for a carousel or table, but did you know some of those plugins have been vulnerable for ages?

The reality is that many WordPress sites remain unmaintained for years, making them easy targets for hackers. According to a report by The Tech Report, over 73%+ of WordPress installations are vulnerable to attacks due to outdated software. That's 30,823 installations from 42,106 duly-tested installations that face the risk of getting hacked!

Even though WordPress provides automatic updates, many site owners disable them or ignore notifications. This creates opportunities for hackers who exploit outdated plugins or themes to gain unauthorized access. For example:

• Revolution Slider Plugin Vulnerability: This popular plugin was responsible for compromising over 100,000 websites in 2014, as many users failed to update it.
  • TimThumb Image Resizing Library: This plugin, widely used for image resizing, had a vulnerability that led to the hacking of thousands of WordPress sites.

The Wpeeper Malware

A cybersecurity firm from China, QiAnXin XLab, discovered the Wpeeper malware. This sneaky malware went unnoticed on Google's VirusTotal platform. It was hidden in a fake app on the Uptodown App Store, an Android-only platform. This app collected sensitive information and could manage device files, putting users' data at risk.

Although the Uptodown App Store isn't as popular as the Google Play Store and didn't affect a lot of users directly, that's not the main focus of this post.

How Wordpress is Used Here

The fake app needed a server to send the stolen information over the internet. The hackers used a command-and-control (C2) server hidden behind a chain of vulnerable WordPress servers, making it hard to trace them.

In this case, the hackers compromised several WordPress sites, using them as proxies to mask their activities. This is a common technique, as hackers know these servers often remain unpatched and are easy to exploit. The command-and-control server, masked by WordPress servers, allowed hackers to collect sensitive data without revealing their true location.

Our immediate thought: can everyone stop using WordPress? Sure, it's easy to launch a quick website for your project or business, but relying solely on WordPress plugins is cutting corners. Without active developers keeping things up to date, hackers can easily exploit those vulnerabilities.

Protecting Your Website

While it's tempting to blame WordPress for all security issues, the truth is that many of these problems arise from poor site maintenance. Here are some key steps to protect your WordPress site:

1. Keep Everything Updated: Ensure that WordPress core, plugins, and themes are up-to-date.
2. Use Trusted Plugins: Only install plugins and themes from reputable sources. Regularly audit your plugins and remove those you don't use.
3. Security Plugins: Consider using security plugins like Wordfence or Sucuri to monitor and protect your site.
4. Two-Factor Authentication (2FA): Enable 2FA for an extra layer of security.
5. Backup Regularly: Make sure you have regular backups of your site, so you can restore it quickly in case of an attack.

Our Recommendation

At Kahu Software, we're focused on building fast, custom software, but we might not be the best fit for every project. Instead, consider template-based website builders that don't use WordPress at all.

Here are three trusted platforms with active developers keeping your site secure and up-to-date:

• HubSpot: Offers a range of marketing, sales, and customer service tools.
• Wix: Known for its flexibility and ease of use.
• Squarespace: Provides stylish templates for businesses and creatives.

These platforms have dedicated teams protecting your site from hackers, so you don't have to worry about plugin vulnerabilities.

Exploring Your Alternatives

• HubSpot: HubSpot offers a comprehensive website builder that integrates with its CRM, allowing you to manage content, customer data, and marketing campaigns in one place. It's perfect if you're looking to boost your marketing efforts while ensuring a secure, well-maintained site.

• Wix: Wix provides an intuitive drag-and-drop editor, making it easy for anyone to create a website. Their App Market has hundreds of integrations, and Wix constantly updates its security protocols to protect its users.

• Squarespace: Squarespace is ideal for those seeking beautifully designed templates for their business or creative projects. The platform is well-suited for e-commerce sites and blogs, and its development team regularly rolls out updates to keep everything secure.

WordPress might have been the go-to for setting up websites quickly in the past, but it's time to prioritize security over convenience. Unmaintained plugins are a ticking time bomb that can expose sensitive information and make your device vulnerable to attacks.

Stay safe out there y'all, and choose platforms with active developers to keep your business secure!