By now, anyone who has the internet has heard about how hackers targeted WordPress plugins during January and February 2020. Quite understandably, this hack job left many WordPress users wary about the damage done. For one of the most prevalent website template providers on the planet, this was an eye-opener.

This hack job was also a heads-up for WordPress customers to keep their plugins updated. To avoid future security risks, customers should take the plunge and invest in free or paid security plugins. For some business owners, these hack jobs may be a simple annoyance, but for others, this type of security breach can be costly.

Which plugins were besieged by hackers?

Nefarious hackers had a field day of targeting the most vulnerable plugins they could identify on WordPress. They made a point of honing in on susceptible plugins which contained pre-identified security defects. These plugins had been newly patched to eliminate bugs. Either that or the hackers were able to unearth ‘zero-day exploits’ in a range of these add-ons.

These ‘zero-day exploits’ relate to weak areas in plugins that the developer has overlooked or is unaware of. A lack of knowledge of vulnerability also means that the developer does not have a patch for that particular plugin.

Some of the plugins worst hit were:

  • Duplicator – the worst hit with over 1 million installations compromised
  • ThemeGrill Demo Importer – attracted 200k hits
  • Async JavaScript – over 100k hits
  • WP Database Reset – 80k hits
  • Profile Builder Plugin – approximately 65k hits
  • Modern Events Calendar Lite – 40k hits
  • Flexible Checkout Fields for WooCommerce – 20k hits
  • 10Web Map Builder for Google Maps – 20k hits

Several other plugins were also impacted, including ThemeREX Addons, CP Contact Form with PayPal and Simple Fields.

WordPress hacker plugin fallout

Reports initially suggested that up to 2,000 customer websites were breached by hackers. Other than the plugins affected as indicated above, traffic was also rerouted to scam sites. On unwittingly selecting installed reroutes, visitors found themselves being presented with unexpected results. These included bogus survey requests, free gifts, false downloads of Adobe Flash Player and unsolicited subscriptions for announcements.

Malicious JavaScript was used to infect vulnerable add-ons to redirect traffic, insert other malware to impact theme files, and gain unauthorized access to customer files. Hackers increased the damage implemented by creating plugin directories that were fake. As a result, WordPress encouraged website owners to disallow primary folder modification to minimize further potential risk.

Why do hackers hack?

Some do it for fun, because they can, because they are malicious, can gather personal details for gain, or because they want to claim some sort of ransom from their victims.

To place hacking in perspective, a study by Juniper Research forecast that hacking would cost up to $2 trillion during 2019.

A large 43 percent of cybercrimes are aimed at small businesses.

A study conducted at Maryland university indicated that a cyber-attack occurs every 39 seconds.

More than 230,000 pieces of malware are generated daily.

While there is no need to panic in the face of these figures, necessary precautions are needed to protect your website and your personal information.

Discovered unwanted intrusions on your website?

It is scary to find that your website has been hacked. If you have web development skills and are technically skilled, you’ll probably know what the best course of action is.

For the web development novices, the best advice is also to – stay calm, and look for these clues that your website has been compromised:

  • the most obvious clue – you cannot log into your own site
  • the site is unusually sluggish
  • you suddenly decide it might be a good idea to look at the dashboard for user accounts and see that you have attracted some foreign interest – unwelcome users
  • you receive messages of site re-directions from visitors, Google hacking notification, site suspension
  • your site is blacklisted on search engines because it definitely has been hacked, or is ranked as promoting the sale of illegal pharmaceuticals
  • antivirus and malware warnings from your installed software or warnings from site visitors

You will be in a good position to get your website operational if you take a deep breath. Place your site in maintenance mode, roll up your sleeves and get ready for business again.

Fix the mess made by the hackers

You can clean up your site by following some basic steps. Backup, scan, do a deep clean – then take prevention measures related to what originally instigated site susceptibility.

Site backup. Do this after you have placed your site in maintenance mode, and after you have been able to log in. This is a precaution so that you don’t lose data unnecessarily with a cleanup plugin.

Pick a security add-on. You can look through this list and pick a malware plugin to deliver a  deep scan. MalCare is recommended for an automatic site cleanup to ward off further attacks. This plugin prompts a backup through BlogVault, prior to cleanup.

Download MalCare, install and scan. After selecting MalCare, follow the steps to create your account prior to being allowed to install this add-on. After installation, you can open this program and follow the prompts to begin a scan.

Select autoclean. The plugin will indicate the number of vulnerabilities detected. Simply pick autoclean to remove hacked files and malicious scripts. Choose the ‘public_html’ option, using your host or server name, FTP type, user name, and password. Follow these steps to retrieve this information if it is not readily available. Select ‘Apply Fix’.

Remove vulnerabilities and install security. Follow this link to remove vulnerabilities, and make safe updates to your website.

A thorough cleanup. Do another scan. Make another backup once your site has been cleaned. Activate the add-ons that you want and remove those that you are not using. Create complex passwords (write these down in a safe place offline). Installing an audit plugin will help keep tabs on-site activity, alerting you to unwanted changes.

Run updates for other add-ons. Send a request to Google to whitelist your site if needed. Check if your host has suspended your site. Contact them if it has been so that you can get back to business.

Moving forward

Where customers realize that their websites have been impacted, or are using any of the plugins listed, they should be updated promptly. A full 98 percent of WordPress hackings take place because users fail to update their plugins.

It is further advised that customers continue to implement updates as and when these become available. Updates are generated for the purpose of minimizing security risks, and to remain compatible with related functions. Being attentive to upgrades will help to ward off threats.

About the Author

author photo

Mirko Humbert

Mirko Humbert is the editor-in-chief and main author of Designer Daily and Typography Daily. He is also a graphic designer and the founder of WP Expert.