More WordPress Security Issues – Malware Hiding in Popular Plugins

There is more bad news for WordPress website owners and developers.  WordFence has found more instances of popular plug-ins being modified to contain malicious software.  The three most recent discoveries are:

WordFence had reported earlier about another 9 affected plug-ins.  The ones that are marked safe appear to be clean in their current versions.  Some plug-ins were removed from the repository.

  • 404 to 301: Safe
  • Display Widgets Plugin: Safe, but no longer maintained. Use Jetpack’s Widget Visibility Module instead.
  • WP Slimstat: Safe
  • WP Maintenance Mode: Safe
  • Menu Image: Safe
  • NewStatPress: Safe
  • Financial Calculator Plugin: Safe. Never included malicious code, but Soiza did have access for some time this year.
  • Weptile Image: Removed from repository
  • No Comment: Removed from repository

These plug-ins are being exploited in a variety of ways.  In some cases, the plug-in is being purchased from the original developer by a bad actor who then modifies the code with malware.  Sometimes the code is being exploited via a hijacked supply chain login credential belonging to a contract developer.  This again points to the fact that an organization is only as secure are the least secure member of the team.  If your company allows vendors and contractors to connect to your network this can affect you.  Read the WordFence articles below if you are interested in specifics.

If you are running a WordPress site using any of these plugins, you need to update or remove them now.  If you are not yet running a security plug-in such as WordFence, you should add this to your plug-in collection.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.