May 07, 2024

The Recent Wordpress Malware Discovery

Yet another blog of why Wordpress is not a good solution for your project or business.

by Thomas, Owner


This blog explores how a compromised app download and several vulnerable WordPress sites turned devices into puppets for hackers. By understanding the risks involved and how hackers exploited these vulnerabilities, you can protect your website and data more effectively.

The Vulnerability of Wordpress Sites

At Kahu Software, we're not big fans of WordPress, even for the simplest websites. It's tempting to install "just one more plugin" for a carousel or table, but did you know some of those plugins have been vulnerable for ages?

The reality is that many WordPress sites remain unmaintained for years, making them easy targets for hackers. According to a report by The Tech Report, over 73%+ of WordPress installations are vulnerable to attacks due to outdated software. That's 30,823 installations from 42,106 duly-tested installations that face the risk of getting hacked!

Even though WordPress provides automatic updates, many site owners disable them or ignore notifications. This creates opportunities for hackers who exploit outdated plugins or themes to gain unauthorized access. For example:

The Wpeeper Malware

A cybersecurity firm from China, QiAnXin XLab, discovered the Wpeeper malware. This sneaky malware went unnoticed on Google's VirusTotal platform. It was hidden in a fake app on the Uptodown App Store, an Android-only platform. This app collected sensitive information and could manage device files, putting users' data at risk.

Although the Uptodown App Store isn't as popular as the Google Play Store and didn't affect a lot of users directly, that's not the main focus of this post.

How Wordpress is Used Here

The fake app needed a server to send the stolen information over the internet. The hackers used a command-and-control (C2) server hidden behind a chain of vulnerable WordPress servers, making it hard to trace them.

In this case, the hackers compromised several WordPress sites, using them as proxies to mask their activities. This is a common technique, as hackers know these servers often remain unpatched and are easy to exploit. The command-and-control server, masked by WordPress servers, allowed hackers to collect sensitive data without revealing their true location.

Our immediate thought: can everyone stop using WordPress? Sure, it's easy to launch a quick website for your project or business, but relying solely on WordPress plugins is cutting corners. Without active developers keeping things up to date, hackers can easily exploit those vulnerabilities.

Protecting Your Website

While it's tempting to blame WordPress for all security issues, the truth is that many of these problems arise from poor site maintenance. Here are some key steps to protect your WordPress site:

  1. Keep Everything Updated: Ensure that WordPress core, plugins, and themes are up-to-date.
  2. Use Trusted Plugins: Only install plugins and themes from reputable sources. Regularly audit your plugins and remove those you don't use.
  3. Security Plugins: Consider using security plugins like Wordfence or Sucuri to monitor and protect your site.
  4. Two-Factor Authentication (2FA): Enable 2FA for an extra layer of security.
  5. Backup Regularly: Make sure you have regular backups of your site, so you can restore it quickly in case of an attack.

Our Recommendation

At Kahu Software, we're focused on building fast, custom software, but we might not be the best fit for every project. Instead, consider template-based website builders that don't use WordPress at all.

Here are three trusted platforms with active developers keeping your site secure and up-to-date:

These platforms have dedicated teams protecting your site from hackers, so you don't have to worry about plugin vulnerabilities.

Exploring Your Alternatives

WordPress might have been the go-to for setting up websites quickly in the past, but it's time to prioritize security over convenience. Unmaintained plugins are a ticking time bomb that can expose sensitive information and make your device vulnerable to attacks.

Stay safe out there y'all, and choose platforms with active developers to keep your business secure!

Get notified when we create.


No spam. Only significant launches of our clients! Exciting stuff.

CTA background image

Let's get started

We’re here to help

Schedule a 1-2-1 meeting with 2 clicks! Let's have a quick chat to see if Kahu Software is right for you.