Hackers Hijack WordPress Plugins: 36,000 Sites at Risk!

Hot Take:

WordPress plugin updates: the only thing less reliable than your New Year’s resolutions. If hackers wanted to take control of my life as easily as they do WordPress sites, they’d just have to sneak into my gym and swap my dumbbells for donuts.

Key Points:

• Five WordPress plugins have been compromised, putting thousands of websites at risk.
• The malicious code creates a new admin account, giving hackers full control.
• Plugins affected: Social Warfare, BLAZE Retail Widget, Wrapper Link Elementor, Contract Form 7 Multi-Step Addon, Simply Show Hooks.
• Total installs of these plugins: 36,000, with Social Warfare being the most popular.
• WordPress’s vast store of third-party plugins can be a security risk if not properly maintained.

Attack of the Killer Plugins

Thousands of WordPress websites are now playing “Hackers: The Home Game” after a malicious update process compromised several popular plugins. Security gurus from Wordfence, the digital bouncers of WordPress, identified five plugins that effectively got their patching processes poisoned. When users try to patch these plugins, they actually download a delightful piece of code that creates a new admin account. The credentials are then sent on a one-way trip to the hackers, who can now waltz into the website like they own the place.

Meet the Usual Suspects

The rogue plugins are Social Warfare, BLAZE Retail Widget, Wrapper Link Elementor, Contract Form 7 Multi-Step Addon, and Simply Show Hooks. With a collective 36,000 installs, these plugins are like the popular kids in high school who suddenly turned into hackers. Social Warfare, with its 30,000 installs, is the head cheerleader of this compromised clique. Journalists from Ars Technica tried to reach out to the developers for a chat (or maybe an intervention), but many didn’t even have contact information listed. It’s like trying to call tech support and getting a toaster.

WordPress: Secure-ish

While WordPress itself is generally as secure as Fort Knox, its third-party themes and plugins are more like open windows in a castle. These add-ons are often the digital equivalent of a DIY project gone wrong—sometimes abandoned or maintained by a hobbyist who may or may not have a clue about cybersecurity. WordPress admins should be cautious when installing third-party plugins, ensuring they only use what they need and keeping everything updated. It’s like making sure your houseplants are actually alive before you invite guests over.

The Cautionary Tale

The underlying takeaway is simple: if you’re running a WordPress site, think of your plugins as houseguests—they can bring the party or trash your place. So, be selective, keep them in check, and always be on the lookout for those who might overstay their welcome. And remember, in the world of cybersecurity, it’s not paranoia if they really are out to get you.

Want More Horror Stories?

For those who enjoy a daily dose of digital doom and gloom, signing up for the TechRadar Pro newsletter is like subscribing to a series of cliffhangers. From the latest WordPress vulnerabilities to the best firewalls and endpoint protection tools, it’s the news you need to keep your business safe—and your paranoia levels high.

Who’s Behind the Curtain?

Sead, the brains behind this juicy tidbit of WordPress drama, is a seasoned freelance journalist based in Sarajevo. With over a decade of experience writing about IT and cybersecurity, he’s the digital equivalent of Sherlock Holmes, minus the pipe and plus a keyboard. When he’s not writing for media outlets like Al Jazeera Balkans, he’s teaching content writing modules, ensuring the next generation of writers can scare you with cybersecurity stories just as effectively.

In conclusion, the next time you update a WordPress plugin, cross your fingers, say a little prayer, and maybe keep a security expert on speed dial. Because in the world of WordPress, even a seemingly innocent update can turn into a full-blown digital horror show.