WordPress and Rogue Plugins

It’s no secret that we love WordPress here at RCS. And we’re in good company. In 2016, sites built on the WordPress platform make up 25 percent of the top 10 million websites in the world and our beloved WP powers more than 59 percent of all content management systems (CMS). Some of the most notable websites in the world, such as LinkedIn, TechCrunch, The New York Times Blogs website , Mercedes Benz official website, Sony , and Microsoft’s Blog are all powered by WordPress. It’s elegant, customizable, expandable and easy to manage. So it’s true, wordpress rocks and if you are thinking of creating your own site, it’s a great way to go. If you do,you won’t be sorry.

Unless, of course, something goes wrong.

What could possibly go wrong? Well, you see, one of the platforms greatest strengths is also its biggest weakness. WordPress is extendible and open-sourced, a combo that can make things really, really great or really, really bad.


The fact that WordPress is extendible means that there are literally 10,0000’s of plugins just waiting to be used in the WordPress plugin directory. Plugins are basically micro programs, designed to do one function that a chosen WordPress theme (the template your site is based on) couldn’t do without it. For example, there is a plugin called “The Bacon Ipsum Generator”. This plugin replaces the classic Latin Lorem Ipsum placeholder text (used when you need to create a space for text but you don’t have the actual text itself yet) with bizarre bacon-related phrases like “Bacon ipsum dolor amet turkey biltong chicken boudin tenderloin leberkas sausage ground round spare ribs kielbasa doner cow, frankfurter turducken doner spare ribs kielbasa sirloin short loin jerky t-bone beef Tri-tip filet mignon…. “ Weird to be sure, but you get the idea. Since there are so many plugins available, you can be sure that whatever you want you site to do, it can be done using the right plugin.

You’ so open-sourced, you’ brain fell out!

The fact that it’s open-sourced means that anybody could, theoretically, build a plugin and submit it into the WordPress plugin directory. WordPress does review all plugins before they approve them – they check for issues like bugs in code and functionality. What they can’t check up is whether the developer of the plugin is planning on maintaining the plugin updated once it’s been approved to the directory, which means that your awesome plugin might eventually become outdated or may contain critical security loopholes that may never get fixed.

Another problem is that aside from the plugin directory, developers sell unapproved (maybe they are just not-yet-approved…) plugins on independent third-party web sites. Sure, some of these plugins may seem amazing but a whole lot of them come with extra features you really don’t want – malware and backdoors. Unsuspecting and inexperienced web designers download these plugins daily and a website owner might find that their website is sporting ISIS-supporting messages or selling Viagra.

Rouge plugins at work

Just last month, an uptick in WP hacks was noted by security firm Securi. At first, it seemed to be a regular, run-of-the-mill, could-be-from-any-old-server kind of attack, but they started to notice that all infected users had one thing in common they all had a plugin called Custom Content Type Manager. This plugin has been around and under development for 3 years and just changed ownership. The old owner, FireproofSocks (yup thats really their name) stopped updating the plugin in over 10 months and now they seem to be under the ownership of a developer called Wooranker. The question that remains is if this was an intentional takeover, or if the plugin was hacked because it was left dormant for so long.

Regardless of of how the hack came to be, we are more concerned with what they hack is trying to do – and as of now, it’s acting as a back door and stealing admin passwords, sending them off to a remote server some other place. Where? Well at this point, nobody seem to know where the hacked information is being sent to, or what the ultimate intentions are. But you can bet it aint to your benefit.

If you are a WordPress webmaster or web designer/developer, there are some things you can do to keep your site safe and stay away from rogue plugins (and if you don’t work with WordPress, you can commit these tips to memory anyway to show off to your techie friends – Who is the real hipster now, huh?)

Never use any plugin that’s not in the official WordPress plugin directory.

Clearly, if you have the Custom Content Type Manager, uh, get rid of it. NOW.

Once you do that, change all passwords for all of your users

Clean up and uninstall all plugins you aren’t currently using on your site

Make sure you perform all updates to wordpress core and to all your plugins

Make sure you backup your site regularly – WordPress has lots of good (we hope) backup plugins like Backup Buddy.

Happy WP-ing!

Leave a Reply