WordPress struggles with manipulated plug-ins

WordPress struggles with manipulated plug-ins

For a while WordPress has been very popular amongst users. These also make use of a wide range of functional plug-ins that are offered by WordPress itself and some other vendors. Mostly all goes well, but just before Christmas 2017 however, the WordPress security plug-in WordFence noticed some inconsistencies. Further investigation revealed a hidden backdoor in the CAPTCHA plug-in.

Now this free CAPTCHA plug-in, developed by plug-in programmer BestWebSoft for WordPress was resold to a company named Simplywordpress who took its time to re-program the CAPTCHA plug-in and then released an updated version 4.3.7. Somehow issues with the plug-in’s trademark rights came up and WordPress decided to delete it from their website WordPress.org. At that point, everything was still fine security wise.

But things changed quickly due to a rule implemented by WordFence itself. This security rule routinely inspects high-volume plug-ins that have been removed. Thus WordFence Security discovered a backdoor and immediately warned the WordPress Security Department. To keep the approximately 300.000 users of that particular plug-in safe, the department worked hard on an update of an older clean version (4.4.5).

This cleaned-up version immediately installed itself and was able to repair about 100,000 infected plug-ins in various WordPress blogs. Most importantly, it was made sure, that Simplywordpress could not publish updates in future. At the same time WordFence toughened-up security: The app’s firewall now blocks the CAPTCHA plug-in as wells as five other plug-ins from this vendor. Also, no update from this vendor can go online without having been previously checked by WordPress.

So what was the backdoor all about?

Interestingly the manipulated code hidden in the plug-in wasn’t as dangerous as it first appeared to be. Its purpose was to silently create backlinks to various commercial websites and spam domains and help increase the Google ranking of some websites. Websites of Mason Soiza, owner of a SEO company, and Stacy Wellington. Soiza is no stranger for them, having connections to Simply WordPress. He’s been caught before, trying to integrate backdoors into popular display widgets and also likes to procure WordPress plug-ins, in which he then programs backdoor code.

This is how the backdoor work

Its automatic downloader then grabs a zipped file from https://simplywordpress.net/captcha/captcha_pro_update.php and transfers the backdoor to its destination. That then had the task to establish a session using the user ID 1, to set the cookies for authentication and finally to delete itself. During research, security experts found various other update packages on the simplywordpress domain for other WordPress plug-ins, including: Social Exchange, Covert Me Popup, Smart Recaptcha, Human Captcha and Death To Comments.

vBulletin Solutions who operate a very popular internet forum platform was also affected and had to release urgent patches such as: vBulletin 5.3.4 Patch Level 1, vBulletin 5.3.3 Patch Level 1 and vBulletin 5.3.2 Patch Level 2. One of the vulnerabilities found here, allowed unauthenticated attackers to remove any files within a vBulletin program. Another vulnerability allowed any type of code to run on Windows-based Web servers. Unfortunately, the mentioned patches could only be published with some delay, leaving a zero-day situation for quite some time.

Well-known companies such as Sony Pictures, Zynga, Valve Corporation, Electronic Arts and even NASA use vBulletin. It apparently seems to be quite common in this business sector that popular software apps are maliciously manipulated following their resale. Security experts report similar issues with browser extensions. Therefore it would also be feasible to maliciously manipulate all common SDKs, libraries and other third-party components too.

See more on
https://www.bleepingcomputer.com/news/security/backdoor-found-in-wordpress-plugin-with-more-than-300-000-installations/

http://www.theregister.co.uk/2017/12/20/backdoor_wordpress_captcha/

http://securityboulevard.com/2017/12/yet-another-wordpress-extension-changes-owner-gets-backdoored/

The advantages of penetration testing for enterprises

Today, cyber security and the success of enterprises are linked closer than we realise. Many entrepreneurs for various reasons believe their IT network is secure, unfortunately the truth is – its actually not! IT networks of all industries are daily exposed to a variety of threats, and in most cases it‘s an easy job for cyber criminals to find access to what they are looking for. In order to minimize such threats optimally, penetration testing is the best way going forward. This kind of testing is the thorough examination of complete IT networks, systems, online shops, websites, and so on, regarding their security capablites against cyberattacks of any kind. Penetration testing (e.g. performed by  www.itexperst.at)  is performed by certified IT experts that are highly qualified to conduct system attacks, that are performed in a very controlled fashion on any kind of IT system. The aim of these attacts is to reveal vulnerabilities and file them in a report, and to remove them subsequently.

11 advantages of a penetration test

Tests tailored to your companies needs

Because penetration tests are very precisely adaptable to the conditions on site, they are made up of a variety of individual procedures that are carried out. This is a very important point and brings every business a real advantage in terms of the effective excecution of the testing and the achieving of detailed results. The results of on and off-site penetration testing will bring the highest possible security level to any enterprise.

System failure protection

Any internal or external breach of your IT-network can lead to a complete system shutdown. Penetration tests come with a whole range of scenarios that refect realistic cyber attacks and in this way are able to show possible system deficiencies and offer solutions.

Security of your infrastructure against external threats

Security weaknesses in software, networks or applications can be an open door for external intruders. For most IT security teams, the biggest challenges today come from attacks on an application level. Special testing procedures can find such vulnerbilities in no time and determine how fast real-life attacks would be recognized and removed. The gained knowledge from the testing can be implemented into worst case measures which then are immediatly available in case of a real attack. In this way the consequences can be minimized.

Security of your infrastructure against threats from inside

The threat from inside is very often overlooked and underestimated. Data carriers or files may contain malicious software that infects and spreads within the network. And maybe the distribution of rights has not been controlled sufficiently. Penetration tests can show such weaknesses and IT systems can be secured against these kind of dangers.

Trade secrets are protected

Just one successful hack immediately endangers important data to be stolen, abused or possibly destroyed in the course. These days cyberspionage is a highly lucrative business for cyber criminals. Penetration testing can find back doors and expose weaknesses of your data security.

Need for security is determined

Hackers are always adapting their methods of attack. Determining how good your company’s IT security actually is, is therefore very important. Penetration testing conducted by experts will identify the necessary requirements for the security of your business.

IT security will be up-to-date

Once the penetration test results reveals security requirements, the IT systems can regularly be updated and thus keep it up-to-date.

It saves costs

Every manager will have an idea how much a system shut down or losing data in a breach will cost his company if an attack was successful, beside a lot of nerves. Being unable to work would most probably lead to a loss of business oportunities and perspectives. Regular penetration testing will protect you against financial losses.

IT networks will be extensively tested

Most companies install their IT systems, software or applications once in the beginning, then rarely test them and updates are only done from now and then and typically never really undergo a security test. IT penetration testing will make sure this is done.

Customer protection

Companies are expected to protect their customers against IT-threats initiated from the companies IT services. Malicious bugs, troyans or software are able to spread very rapidly. Malicious software can also be hidden in onlineshops or websites, exactly where your customers or prospects view your content. The results of a penetration test will reveal exactly how safe your customers will be, when making contact to you.

Company protection

Penetration testing is a very good tool for protecting your company’s, your staffs and your customers values. Such tests will play an essential part for your company good reputation and its success. Today in a saturated market, the customer trust is the basis for successful business relationships and will bring an obvious advantage.

Regular penetration testing is a very important tool for the IT security of small and large businesses regarding the world wide growing need for security.

Why WordPress? Advantages and Disadvantages

wordpress logo

Im my last blog I went through an quick and easy installation of WordPress. But why do you want this CMS at all?

People often asks about advantages and disadvantages of WordPress. In my opinion it is very easy to handle and has a variety of functions.

Advantages of WordPress

  • 60% of all online Content Management Systems (CMS) are WordPress.
    That’s a clear sign about the qualities of the product. Why this is so, you can read in the next lines.
  • WordPress is very powerful, even CNN, Time, UPS uses WordPress
    This CMS needs little resources compared to other CMS. It has a huge range of functionality. If there is something you need, you can have it developed by freelance programmers.
  • Large Community can help if you run into problems
    Many people know WordPress, so free and commercial support might be near to you, if you need one.
  • WordPress is very Search Engines Friendly
    If your blog isn’t found there is no need to engage with work and time. To be on the top of the search engines result page is very important if you want to push your blog. WordPress supports your efforts to be at the first site at Google.
  • WordPress is free.
    You don’t have to pay a license fee. It’s free as free beer.
  • WordPress is easy to learn and there are a lot of documentation online.
    If you are new you can grab a good book or look online at forums or especial WordPress HowTo pages. There are plenty of them. Just get started.
  • Installing is quite easy and a lot of web hosters provide ready to go packages.
    If you choose one hoster providing preinstalled WordPress, installation is just a matter of click on the right buttons.
  • Updating and management is easier than for other CMS.
    I had several CMS in my career and can say: the easiest is WordPress. That’s a fact. If you want to invest little time in management and more time into the content WordPress is definitely an option you should consider.
  • There are a lot of Designs (Themes) and add-ons (Plugins) available.
    You can even by commercial Themes for low money. But very good ones are free, too. Or if you want let your design be created and implemented by a WordPress developer.

Disadvantages of WordPress

There are so many good points that it is hard to thing of disadvantages, but there are some.

  • Not all developers a good in securing their Plugins or Theme. So security might be a problem.
  • PHP as a underlying base. But other CMS and shops (“secure” and “unsecure” onces) use PHP as well, so this might not be valid argument.
  • If you want to change the design, you need to know CSS and HTML.
  • No native and nice support for tables.

Conclusion about WordPress pro and cons

WordPress is definitely an option if you consider to start a Blogging plattform. Just get started, try it out and see if it suits you. It’s worth the effort.

wordpress logo