Over 90 Hacked WordPress Add-Ons Could Give Away Your Website Access

The affected WordPress developer's add-ons are used on more than 360,000 active websites.

Researchers have found a total of 93 WordPress apps — 40 themes and 53 plugins — have been compromised as part of a large backdoor attack that gives threat-actors full access to the websites those add-ons have been used for.

How large is the supply chain attack? On one hand, it’s constrained to AccessPress, a single WordPress developer. But one the other hand, AccessPress’s add-ons are used on more than 360,000 active websites, making this a massive security incident.

We’ve said it before and we’ll say it again: Getting a quality antivirus software looks more and more like a necessity every day.

How the WordPass Files were Affected

Researchers at security company Jetpack first discovered the attack when they noticed a PHP backdoor had been added to some themes and plugins.

Their theory is that an external threat actor breached AccessPress’s website in order to compromise all the software needed to more easily gain further access to a much larger swath of websites.

According to Bleeping Computer, once admins install one of these add-ons on their WordPress website, the threat actors slipped a new “initial.php” file (one with a base64 encoded payload that writes a webshell into the “./wp-includes/vars.php” file) into the main theme directory and added it to the main “functions.php” file. Once in place, the payload would be decoded, giving the threat actors just what all hackers want: remote control of their target website.

The attack happened in September 2021, Sucuri researchers say, and went undetected until now.

Check if Your WordPass is Infected

Jetpack has put up a list of the compromised add-ons.

If you run a WordPress blog and the list of compromised softwares includes a plugin or theme you’ve installed between now and last September, you might be infected and you’ll need to check. Here’s how, according to website security company Sucuri:

  1. Check your wp-includes/vars.php file around lines 146-158. If you see a “wp_is_mobile_fix” function there with some obfuscated code, you’ve been compromised
  2. You can also query your file system for “wp_is_mobile_fix” or “wp-theme-connect” to see if there are any affected files

If compromise, Sucuri recommends taking these steps:

  1. Replace your core WordPress files with fresh copies
  2. Remove and replace any affected AccessPress themes or plugins with fresh copies downloaded from the official WordPress repository. If the software you need was taken offline, go ahead and remove the plugins/themes from your website and find replacements
  3. Follow the standard post-infection steps like updating wp-admin administrator and database passwords as a precaution

Granted, this incident is just 93 themes and plug-ins, but there’s no harm in checking for the latest threat. As any IT professional can tell you, the online security job is never done.

WordPress Vulnerabilities

WordPress has been having a bit of bad luck when it comes to malware attacks and vulnerabilities. Last November, the site ran into a spate of fake ransomware messages that demanded website owners fork over Bitcoin payments or see their files deleted — something that the attackers couldn’t actually accomplish.

The attacks aren’t only WordPress, of course. Last week, for example, we covered the ‘Whispergate’ malware family, which acts like ransomware, but which Microsoft says “lacks a ransom recovery mechanism” and is actually “designed to render targeted devices inoperable.”

As for this recently revealed add-on attack, the danger is over now, but a similar incident could be tough to avoid in the future. An antivirus software won’t hurt — we’d recommend McAfee or Norton — but the danger is always out there.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for more than a decade. He was a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and his art history book on 1970s sci-fi, 'Worlds Beyond Time,' is out from Abrams Books in July 2023. In the meantime, he's hunting down the latest news on VPNs, POS systems, and the future of tech.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals