An Interesting New Twist on WordPress Site Hijacking

This story reads like fiction.  OK, not great fiction, but this story illustrates another way that WordPress websites can be hijacked and used to promote a cyber scam.

WordPress websites are often hijacked so a phisher can host their landing page on a site that does not lead back to them.  And WordPress sites can be interesting targets for other cyber-criminals who export the user name and password database for cracking and sale on the Dark Web.

In this case, the cyber scammer actually paid $15,000 to the developer of a popular WordPress plugin “Display Widgets.”  After modifying the plugin code, he pushed an update to WordPress sites using the plugin.  The new code posted spam messages promoting a payday loan business that he also owned.

This guy had already purchased and modified other plugins from other developers including the “404 to 301” plugin.  The full story is available on the WordFence blog, and I encourage you to click over for a read.

The important take-away here is that even if you are doing everything possible to secure your website, it can be compromised as the result of another person’s business decision to sell their software to another company.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.