Large Number of WordPress Hacks Silently Delivering Ransomware to Visitors

Mys­te­ri­ous­ly, a large num­ber of sites run­ning on Word­Press have been hacked caus­ing them to deliv­er  cryt­po-ran­somware and oth­er mali­cious soft­ware, to vis­i­tors. Until last week, web secu­ri­ty ser­vices were unaware of this mas­sive lapse in secu­ri­ty.

Three sep­a­rate secu­ri­ty firms have since come for­ward to report that vis­i­tors of a mas­sive num­ber of legit­i­mate Word­Press sites are being silent­ly redi­rect­ed to mali­cious sites, which host code from the Nuclear exploit kit.

Users with out­dat­ed ver­sions of Adobe Flash Play­er, Adobe Read­er, Microsoft Sil­verlight, or Inter­net Explor­er are high­ly sus­cep­ti­ble to get­ting infect­ed with Tes­lacrypt ran­somware pack­age. The ran­somware encrypts files on the com­put­er with a decryp­tion key which can only be availed at a hefty ran­som to restore user files.

“Word­Press sites are inject­ed with huge blurbs of rogue code that per­form a silent redi­rec­tion to domains appear­ing to be host­ing ads,” Mal­ware­bytes Senior Secu­ri­ty Researcher Jérôme Segu­ra wrote in a blog post pub­lished Wednes­day. “This is a dis­trac­tion (and fraud) as the ad is stuffed with more code that sends vis­i­tors to the Nuclear Exploit Kit.”

Researchers at Heim­dal Secu­ri­ty Soft­ware wrote in a blog post: “The cam­paign makes use of sev­er­al domains to deliv­er the mali­cious code, which is why active servers can quick­ly change depend­ing on which IP as DNS lookup they use.” Hack­ers are exploit­ing an uniden­ti­fied vul­ner­a­bil­i­ty with obfus­cat­ed JavaScript which redi­rects traf­fic to a domain called chren­ovuihren. An online ad pops up on the site which forces traf­fic to the site host­ing the Nuclear exploit kit.

“This past week­end we reg­is­tered a spike in Word­Press infec­tions where hack­ers inject­ed encrypt­ed code at the end of all legit­i­mate .js files.” Web­site secu­ri­ty firm Sucuri, said in a state­ment in a blog post, Mon­day. “This mal­ware uploads mul­ti­ple back­doors into var­i­ous loca­tions on the web­serv­er and fre­quent­ly updates the inject­ed code. This is why many web­mas­ters are expe­ri­enc­ing con­stant rein­fec­tions post-cleanup of their .jsfiles.”

Three of the Best WordPress Security Plugins Reviewed

With cyber­at­tacks get­ting increas­ing­ly com­mon, about 30,000 per day, it’s more impor­tant than ever to pro­tect your site. You can take steps to safe­guard your data with­out pay­ing exter­nal ser­vices. Set­ting a com­pli­cat­ed pass­word and keep­ing your site up-to-date goes a long way, but the extra blan­ket of secu­ri­ty pro­vid­ed by secu­ri­ty plu­g­ins cer­tain­ly helps and is worth shelling out a few extra dol­lars for pre­mi­um fea­tures.

There’s a ton of Word­Press secu­ri­ty plu­g­ins, so we’ve reviewed only three of the most pop­u­lar ones out there:

  1. Word­Fence

This plu­g­in is free but for addi­tion­al fea­tures there is a pre­mi­um ver­sion. It rou­tine­ly scans all your Word­Press files for mal­ware infec­tions and noti­fies you if any is found. Using two fac­tor authen­ti­ca­tion (with SMS), it stops brute force attack. Word­Fence gives users the option to block peo­ple from cer­tain coun­tries, and has a fire­wall to block fake traf­fic. The plu­g­in claims to speed up your web­site 50 times faster, and can sup­port mul­ti­ple sites on the same account.

  1. iThemes Secu­ri­ty

For­mer­ly known as ‘Bet­ter WP Secu­ri­ty’, iThemes is a pop­u­lar choice with users. It scans your site to find vul­ner­a­bil­i­ties and fix­es them as quick­ly as it sends you a report. It not only hides sen­si­tive core files, but increas­es the password’s secu­ri­ty lev­el and blocks ‘bad users’. If iThemes is faced with a user with repeat­ed login attempts, it will block and report their IP address­es. Pro users get two-fac­tor authen­ti­ca­tion using a mobile app, pass­word expi­ra­tion, a track log of users’ actions, and a mal­ware scan auto­mat­i­cal­ly every day.

  1. Sucuri Secu­ri­ty

This plu­g­in is a prod­uct of Sucuri Inc., a web secu­ri­ty com­pa­ny focused on detect­ing and reme­di­at­ing com­pro­mised web­sites. Its secu­ri­ty activ­i­ty mon­i­tor­ing fea­ture tracks all changes to help secu­ri­ty experts under­stand how it is being com­pro­mised. Sucuri Secu­ri­ty also Secu­ri­ty Activ­i­ty Audit­ing has File Integri­ty Mon­i­tor­ing, Remote Mal­ware Scan­ning, Black­list Mon­i­tor­ing, Effec­tive Secu­ri­ty Hard­en­ing, Post-Hack Secu­ri­ty Actions, Secu­ri­ty Noti­fi­ca­tions and a Web­site Fire­wall.

WordPress 4.4.2 Update Released to Patch Vulnerabilities

Word­Press 4.4.2 has been released as an update to all ver­sions to pro­vide patch­es for two secu­ri­ty vul­ner­a­bil­i­ties. To improve func­tion­al­i­ty, 17 bugs from the pre­vi­ous ver­sion are also addressed. The update is now avail­able to down­load and Word­Press rec­om­mends that every­body update imme­di­ate­ly.

One of the two secu­ri­ty fix­es in 4.4.2 is a pos­si­ble Serv­er-Side Request Forgery (SSRF) vul­ner­a­bil­i­ty. It impacts local address­es and allows hack­ers to bypass access con­trols, like Fire­wall, to crash infect­ed sys­tems. The actu­al Word­Press code com­mit that fix­es the SSRF issue states that “ is not a valid IP.”

This is not the first time Word­Press has pushed a fix for SSRF. In June 2013, Word­Press 3.5.2 was released with a patch-up for a SSRF vul­ner­a­bil­i­ty.

The Mitre Com­mon Weak­ness Enu­mer­a­tion (CWE) states in its def­i­n­i­tion of SSRF as,“By pro­vid­ing URLs to unex­pect­ed hosts or ports, attack­ers can make it appear that the serv­er is send­ing the request, pos­si­bly bypass­ing access con­trols such as fire­walls that pre­vent the attack­ers from access­ing the URLs direct­ly.”

Open redi­rec­tion attack is the sec­ond issue tack­led in the new update. An open redi­rec­tion attack links to exter­nal sites — phish­ing sites or oth­er kinds of mali­cious sites — by abus­ing web func­tion­al­i­ty. “A web appli­ca­tion accepts a user-con­trolled input that spec­i­fies a link to an exter­nal site, and uses that link in a Redi­rect,” Mitre’s Open Redi­rect def­i­n­i­tion states. “This sim­pli­fies phish­ing attacks.”

A new block of code which will bring about bet­ter val­i­da­tion of the Web address­es used in HTTP redi­rects, is Word­Press’s solu­tion for the open redi­rec­tion attack inse­cu­ri­ty.

After the Jan 6th update of Word­Press 4.4.1, this is the sec­ond update of the year for Word­Press. Like last time, auto­mat­ic updates are being rolled out to sites that sup­port auto­mat­ic back­ground updates. To down­load man­u­al­ly, you can either head over to Dash­board > Updates in Word­Press and click on the “Update Now” but­ton, or down­load Word­Press 4.4.2 from Word­Press direct­ly.


WordPress Update 4.4.1 Released

Last week, Word­Press announced the release of an update to address secu­ri­ty and main­te­nance issues. The pub­lish­ing plat­form urged users to update their sys­tems imme­di­ate­ly, pro­tect­ing them from a cross-site script­ing (XSS) vul­ner­a­bil­i­ty.

Aaron  Jorbin, a Word­Press con­trib­u­tor who pub­lished news of the update’s release on the com­pa­ny’s offi­cial blog, warned that Word­Press ver­sions 4.4 and ear­li­er could allow sites to be com­pro­mised due to the cross-site script­ing vul­ner­a­bil­i­ty.  The loop­hole was dis­cov­ered and report­ed by Crtc4L.

The bug allows remote attack­ers to gain access and com­pro­mise sites. Hack­ers are able to pass mali­cious con­tent between sites through the cross-site script­ing vul­ner­a­bil­i­ty. The kind of code injec­tion bypass­es the same-ori­gin pol­i­cy, which is an impor­tant con­cept in web secu­ri­ty appli­ca­tions. Wikipedia says under the pol­i­cy, “a web brows­er per­mits scripts con­tained in a first web page to access data in a sec­ond web page, but only if both web pages have the same ori­gin.” 

The vul­ner­a­bil­i­ty was spot­ted by Crtc4L, who is an inde­pen­dent secu­ri­ty researcher based in the Philip­pines. They were award­ed a boun­ty through HackerOne for their dis­cov­ery.

In addi­tion, the update also con­tains sev­er­al bug fix­es unre­lat­ed to secu­ri­ty. Among them are sup­port for all the new emo­ji char­ac­ters late­ly added to the emo­ji col­lec­tion, includ­ing the diverse hand ges­tures and faces. Fans of emo­jis on iOS will rejoice at the long-await­ed news.

Word­Press 4.4.1 fix­es 52 bugs from the last ver­sion. Fix­es to solu­tions includ­ed: “Some sites with old­er ver­sions of OpenSSL installed were unable to com­mu­ni­cate with oth­er ser­vices pro­vid­ed through some plu­g­ins,” and “if a post URL was ever re-used, the site could redi­rect to the wrong post.”

Auto­mat­ic updates are being rolled out to sites that sup­port auto­mat­ic back­ground updates. To down­load man­u­al­ly, you can either head over to Dash­board > Updates in Word­Press and click on the “Update Now” but­ton, or down­load Word­Press 4.4.1 from Word­Press direct­ly.

Recap 2015 — A Year of Security Vulnerabilities


The time to make new year res­o­lu­tions is here. The time to wave good­bye to 2015. The time of fresh begin­nings. The time to look back on the good and bad of the past year. And the time to review all that hap­pened and move on as a bet­ter ver­sion of your­self.

Con­trary to pop­u­lar opin­ion, it’s not always exter­nal hack attacks that do the most harm. Some­times it is inher­ent flaws in the sys­tem unno­ticed by users until the minute they are exploit­ed. Tech­world did a great piece on secu­ri­ty flaws of the year 2016 detail­ing acci­den­tal flaws in ser­vices lead­ing to attacks in 2015.

Google Android Flaws

Google’s Android plat­form for smart­phones has spread far and wide. Stretch­ing across sev­er­al man­u­fac­tur­ers has made it dif­fi­cult to push updates to all devices at the same time, lead­ing to mul­ti­ple secu­ri­ty issues. In the sum­mer of 2015, many secu­ri­ty flaws were made pub­lic, of which Stage­fright was the most dev­as­tat­ing. Fol­lowed by Stage­fright 2.0, it had a way of beat­ing Android 5.0 lockscreen’s secu­ri­ty code.

Anti-virus Flaws

Of all the anti-virus­es, the most flawed (yet pop­u­lar) AVG was first sin­gled out by an Israeli secu­ri­ty firm enSi­lo which dis­cov­ered a soft­ware flaw. It was patched in two days. How­ev­er, lat­er on a Google engi­neer found anoth­er flaw in AVG’s Chrome brows­er Web Tune-Up plug-in which allowed attack­ers to scour through entire brows­ing his­to­ries.

Juniper VPN ‘Back Door’ Flaw

Appar­ent­ly the VPN part of Juniper’s NetScreen fire­wall kit has had a back­door since 2012. A weak­ness in a piece of encryp­tion fur­ni­ture called Dual_EC_DRBG ran­dom num­ber gen­er­a­tor con­tained a soft­ware flaw that allowed the inser­tion of a back door.


Talk­Talk attacked thrice

The telecom­mu­ni­ca­tions com­pa­ny was attacked not just once, but thrice! Accord­ing to the com­pa­ny, ‘only’ 159,959 accounts were com­pro­mised, of which 15, 656 had their bank account details com­pro­mised.

Inde­pen­den­t’s ran­somware

Inde­pen­dent news blog was caught serv­ing Tes­laCrypt ran­somware by Trend Micro. The site was attacked sev­er­al weeks before Trend informed them.


WordPress Security: 2015 in Review

Anoth­er day, anoth­er year and 2015 is draw­ing to a close. It’s been an inter­est­ing year with Don­ald Trump mak­ing waves in the pres­i­den­tial elec­tions, and fin­ish­ing off with Steve Har­vey crown­ing the wrong Miss Uni­verse! 2015 is a year to remem­ber. In the midst of the hol­i­day cheer, it’s also the time to reflect back on the past year to learn and grow from our mis­takes.

By mis­takes, we mean laps­es in your Word­Press secu­ri­ty — not on how you need to start hit­ting gym! With Word­Press attacks on the rise, it’s more impor­tant than ever to keep your site safe and beware of some com­mon pit­falls. Only last month, data secu­ri­ty firm Imper­va con­firmed in their WAAR Report 2015 that Word­Press has been the vic­tim 3.5 times more than oth­er Con­tent Man­age­ment Sys­tems.

Word­Fence has released the results of their first annu­al Word­Press Secu­ri­ty Sur­vey. A large sam­ple of 7,375 Word­Press users took part in the sur­vey reveal­ing data of secu­ri­ty behav­iour of Word­Press users, from those with lit­tle to no expe­ri­ence to total experts.

Of the respon­dents, 38.9% admit­ted to being a vic­tim of a Word­Press attack in the past year. It appears that a major­i­ty of the vic­tims were not proac­tive­ly scan­ning their site for virus­es but rather stum­bled upon it. Over 35% of the sam­ple said that they were alert­ed to their site being com­pro­mised while vis­it­ing their site. Around 27% said that their host­ing provider took their site offline and 26% were con­tact­ed by a cus­tomer.

Although more than half of Word­Press users find their income great­ly affect­ed when their site goes com­pro­mised, it appears from the sur­vey results that expert users were far more con­cerned about site secu­ri­ty than advanced and inter­me­di­ate users.

Plu­g­ins often make it to the news for cre­at­ing vul­ner­a­bil­i­ties in the site’s defense sys­tem, yet inter­est­ing­ly the sur­vey found that the most used plu­g­in type installed was a secu­ri­ty plu­g­in. It was close­ly fol­lowed by con­tact form, SEO and anti-spam plu­g­ins.

As a site own­er, it’s your respon­si­bil­i­ty to keep your site well pro­tect­ed. Use these 4 sim­ple ways to pro­tect your site from ever get­ting com­pro­mised.

Mer­ry Christ­mas and a Hap­py New Year from every­body at WPSOS! See you next year ;)

GoDaddy and SiteLock Partner to Add Security to Small Business WordPress Sites

It seems like very week there are new reports of secu­ri­ty attacks on Word­Press sites, and accord­ing to recent reports the num­bers are just get­ting high­er. GoDad­dy, the high­ly pop­u­lar domain reg­is­trar and web host­ing com­pa­ny, has decid­ed to add extra secu­ri­ty to Word­Press sites owned by small busi­ness own­ers. The com­pa­ny has part­nered with Site­Lock, a web­site secu­ri­ty provider, to reduce secu­ri­ty vul­ner­a­bil­i­ties and attacks.

The two com­pa­nies which have been work­ing togeth­er since April 2014, have announced a new plu­g­in keep­ing web devel­op­ers and design­ers in mind. With just one click, busi­ness­es will be able to access and under­stand their web­site secu­ri­ty sit­u­a­tion. With­out hav­ing to leave your web­site, the plu­g­in gives you an at-a-glance view of secu­ri­ty scan results with­in the Word­Press dash­board.

“This brought their secu­ri­ty infor­ma­tion to the fore­front in Word­Press so they can man­age their port­fo­lio of web­sites with­out hav­ing to ever leave the Word­Press site,” Site­Lock Pres­i­dent Feath­er said. “They can scan to make sure it’s free of mal­ware and can do all this with­in one inter­face. It’s a pow­er­ful tool for them because it enables them to do it in real time as they’re work­ing and adding fea­tures to their site.”

Oth­er fea­tures include secu­ri­ty scans on Word­Press pages in draft mode and real-time updates to resolve threats with min­i­mal laten­cy between the time they are iden­ti­fied and resolved. The plu­g­in can also rec­og­nize spe­cif­ic vul­ner­a­bil­i­ties and quick­ly resolve them on its own.

Tom Serani, Site­Lock Exec­u­tive Vice Pres­i­dent of Busi­ness Devel­op­ment, said, “As the host­ing space con­tin­ues to evolve, we want­ed to offer a strate­gic solu­tion through a trust­ed small busi­ness advi­sor and part­ner like GoDad­dy. We worked togeth­er to make it easy for cus­tomers to seam­less­ly inte­grate secu­ri­ty into their sites.”

Users can use one set of log-in cre­den­tials through the plu­g­in to access and man­age both their GoDad­dy account and Site­Lock infor­ma­tion.

WP Engine Suffers Security Breach

WP Engine has suf­fered a major secu­ri­ty breach it forc­ing to reset over 30,000 cus­tomers’ pass­words. On Tues­day, the Word­Press host­ing out­fit con­fessed to the hack attack. It post­ed rec­om­men­da­tions on reset­ting pass­words with updat­ed step-by-step links on how to do it.

WP Engine is a Host­ed ser­vice provider, which man­ages Word­Press host­ing for mis­sion crit­i­cal sites around the world. Set up by Word­Press to bet­ter sup­port the giant web pub­lish­ing plat­form, it had stayed clear of any secu­ri­ty vul­ner­a­bil­i­ties — unlike Word­Press and its themes- up till now.

In an urgent secu­ri­ty noti­fi­ca­tion on its site, WP Engine announced the secu­ri­ty breach. They said, “At WP Engine we are com­mit­ted to pro­vid­ing robust secu­ri­ty. We are writ­ing today to let you know that we learned of an expo­sure involv­ing some of our cus­tomers’ cre­den­tials. Out of an abun­dance of cau­tion, we are proac­tive­ly tak­ing secu­ri­ty mea­sures across our entire cus­tomer base.”

“We have begun an inves­ti­ga­tion, how­ev­er there is imme­di­ate action we are tak­ing. Addi­tion­al­ly, there is action that requires your imme­di­ate atten­tion” said the WP Engine Team, refer­ring to the reset­ting of pass­words. “While we have no evi­dence that the infor­ma­tion was used inap­pro­pri­ate­ly, as a pre­cau­tion, we are inval­i­dat­ing the fol­low­ing five pass­words asso­ci­at­ed with your WP Engine account. This means you will need to reset each of them.”

The firm imme­di­ate­ly reached out to its clients inform­ing them of the attack and on how to guard their accounts. Users with an account at WP Engine should change their pass­word and keep a watch­ful eye over email com­ings and goings, as well as, their finan­cial trans­ac­tions.

WP Engine apol­o­gized for the attack, “We apol­o­gize for any incon­ve­nience this event may have caused. We are tak­ing this expo­sure as an oppor­tu­ni­ty to review and enhance our secu­ri­ty, and remain com­mit­ted to strong inter­nal secu­ri­ty prac­tices and process­es.”

Breaking News: Reader’s Digest and other WordPress sites are compromised

A large num­ber of Inter­net users have been infect­ed via the Angler exploit kit, after vis­it­ing com­pro­mised sites in the past week. The hack­ing cam­paign has been pushed from many Word­Press sites, most notably that of Read­er’s Digest — the pop­u­lar, month­ly fam­i­ly mag­a­zine.

Accord­ing to secu­ri­ty blog, Mal­ware­bytes, the attack con­sists of com­pro­mised Word­Press sites inject­ed with mali­cious script that launch­es anoth­er URL whose final pur­pose is to load the Angler exploit kit. Own­ers of attacked Word­Press sites should remem­ber that although the inject­ed scripts and URL’s fol­low the same pat­tern, they vary over time.

In the ini­tial inves­ti­ga­tion by Mal­ware­byte, it was found that the Necurs back­door tro­jan is loaded on the com­put­er of vis­i­tors to the infect­ed sites, deliv­ered by the Bedep tro­jan via the uploaded Angler Exploiter Kit. If you have vis­it­ed Read­er’s Digest or any oth­er com­pro­mised site, run a secu­ri­ty scan on your com­put­er.

But if you are one of the infect­ed sites, then don’t hes­i­tate in con­tact­ing us. It is our spe­cial­ty to clean up all mal­ware and hack­er attacks on Word­Press sites. We have a high­ly expe­ri­enced team who have seen all kinds of virus­es and mal­ware, and effec­tive­ly dealt with them.

In an email to SCMagazine on Tues­day, Read­er’s Digest spokesper­son Pauli Cohen said, “We became aware of the mal­ware attack last week and have been work­ing with our secu­ri­ty provider, tech­nol­o­gy part­ners and plat­form provider to inves­ti­gate the issue and per­form exten­sive secu­ri­ty checks on our web­site. At this point, we are address­ing all known vul­ner­a­bil­i­ties of the site. We take secu­ri­ty very seri­ous­ly and are tak­ing every step to ensure the integri­ty of our site.”

Although it is our spe­cial­ty to help restore secu­ri­ty to hacked Word­Press sites, we believe it is always impor­tant to guard your­self against an attack in the first place. Get­ting your site back up and run­ning is no prob­lem for us. How­ev­er once you’ve real­ized that your site has been hacked, then give us a call at +1 (650) 600‑1970 as soon as pos­si­ble to mit­i­gate the dam­age.

Imperva WAAR Report 2015: WordPress attacks highest of all CMS’s

Secu­ri­ty attacks on web­sites and blogs are high­er than ever before. Accord­ing to Imper­va’s new Web Appli­ca­tion Attacks Report, Con­tent Man­age­ment Sys­tems (CMS’s) were attacked three times more often than oth­er Web appli­ca­tions. The data secu­ri­ty firm con­firmed that Word­Press has unfor­tu­nate­ly been the vic­tim 3.5 times more than the oth­ers.

It comes as no sur­prise that Word­Press is the most attacked CMS. Not only is the most pop­u­lar ser­vice but new data from W3Techs, which mea­sures both usage and mar­ket share, report­ed last week that Word­Press accounts for a quar­ter of the web. They said,“WordPress is used by 58.7% of all the web­sites whose con­tent man­age­ment sys­tem we know. This is 25.0% of all web­sites.”

As 2015 draws to a close, Word­Press has tak­en a real beat­ing this year with an increase in brute-force attacks. Hack­ers and mal­ware are doing a lot of dam­age by tak­ing advan­tages of vul­ner­a­bil­i­ties caused by weak­ness­es in the 30,000+ plu­g­ins on Word­Press.

Imper­va’s report said,“CMS frame­works are most­ly open source, with com­mu­ni­ties of devel­op­ers con­tin­u­ous­ly gen­er­at­ing sequences of plu­g­ins and add-ons, with­out con­cert­ed focus towards secu­ri­ty. This devel­op­er mod­el con­stant­ly increas­es the vul­ner­a­bil­i­ties in CMS appli­ca­tions, espe­cial­ly for Word­Press which is also PHP based.”

Non-CMS appli­ca­tions were less sus­cep­ti­ble to remote com­mand exe­cu­tion (RCE) attacks than CMs’s accord­ing to the report’s find­ings. Fur­ther­more, the report found that Word­Press is five times like­li­er than oth­er CMS’s to be hit by remote file inclu­sion (RFI) attacks.

Some of the trends dis­cov­ered in Imper­va’s annu­als report were con­tin­u­ing from last year’s report, such as increased SQL Injec­tion (SQLi) and Cross-Site-Script­ing (XSS) attacks and more attacks on Word­Press. A new­com­er this year is the mega trend of Shell­shock Remote Code Exe­cu­tion (RCE) attacks, scan­ning web appli­ca­tions on an equal basis.

The report said, “We con­clude that the increas­ing avail­abil­i­ty of web attack tools and services—with com­pu­ta­tion­al pow­er becom­ing less expen­sive and ubiquitous—are dri­ving the new wave of vol­u­met­ric mali­cious attacks. The evo­lu­tion of attacks against web appli­ca­tions has con­tin­ued with increased sophis­ti­ca­tion, mag­ni­tude, and veloc­i­ty. How­ev­er, there is hope thanks to the grow­ing effec­tive­ness of rep­u­ta­tion-based detec­tion mech­a­nisms, and their abil­i­ty to iden­ti­fy attacks by track­ing pre­vi­ous­ly iden­ti­fied mali­cious activ­i­ty to its ori­gins.”