Researchers have found a total of 93 WordPress apps — 40 themes and 53 plugins — have been compromised as part of a large backdoor attack that gives threat-actors full access to the websites those add-ons have been used for.
How large is the supply chain attack? On one hand, it's constrained to AccessPress, a single WordPress developer. But one the other hand, AccessPress's add-ons are used on more than 360,000 active websites, making this a massive security incident.
We've said it before and we'll say it again: Getting a quality antivirus software looks more and more like a necessity every day.
How the WordPass Files were Affected
Researchers at security company Jetpack first discovered the attack when they noticed a PHP backdoor had been added to some themes and plugins.
Their theory is that an external threat actor breached AccessPress's website in order to compromise all the software needed to more easily gain further access to a much larger swath of websites.
According to Bleeping Computer, once admins install one of these add-ons on their WordPress website, the threat actors slipped a new “initial.php” file (one with a base64 encoded payload that writes a webshell into the “./wp-includes/vars.php” file) into the main theme directory and added it to the main “functions.php” file. Once in place, the payload would be decoded, giving the threat actors just what all hackers want: remote control of their target website.
The attack happened in September 2021, Sucuri researchers say, and went undetected until now.
Check if Your WordPass is Infected
Jetpack has put up a list of the compromised add-ons.
If you run a WordPress blog and the list of compromised softwares includes a plugin or theme you've installed between now and last September, you might be infected and you'll need to check. Here's how, according to website security company Sucuri:
- Check your wp-includes/vars.php file around lines 146-158. If you see a “wp_is_mobile_fix” function there with some obfuscated code, you’ve been compromised
- You can also query your file system for “wp_is_mobile_fix” or “wp-theme-connect” to see if there are any affected files
If compromise, Sucuri recommends taking these steps:
- Replace your core WordPress files with fresh copies
- Remove and replace any affected AccessPress themes or plugins with fresh copies downloaded from the official WordPress repository. If the software you need was taken offline, go ahead and remove the plugins/themes from your website and find replacements
- Follow the standard post-infection steps like updating wp-admin administrator and database passwords as a precaution
Granted, this incident is just 93 themes and plug-ins, but there's no harm in checking for the latest threat. As any IT professional can tell you, the online security job is never done.
WordPress has been having a bit of bad luck when it comes to malware attacks and vulnerabilities. Last November, the site ran into a spate of fake ransomware messages that demanded website owners fork over Bitcoin payments or see their files deleted — something that the attackers couldn't actually accomplish.
The attacks aren't only WordPress, of course. Last week, for example, we covered the ‘Whispergate' malware family, which acts like ransomware, but which Microsoft says “lacks a ransom recovery mechanism” and is actually “designed to render targeted devices inoperable.”
As for this recently revealed add-on attack, the danger is over now, but a similar incident could be tough to avoid in the future. An antivirus software won't hurt — we'd recommend McAfee or Norton — but the danger is always out there.