Backdoors Found in Three More WordPress Plug-ins

In what is becoming an increasingly common type of software supply chain attack, three more WordPress plug-ins that recently changed ownership got backdoored by their new owners. What’s worse is that the malicious code went undetected for months.

The rogue plug-ins are called Duplicate Page and Post, No Follow All External Links and WP No External Links and they all have been removed from the official WordPress plug-in repository over the past couple of weeks. At the time of their removal, they were installed on tens of thousands of WordPress websites.

According to an analysis by researchers from website security firm Wordfence all of the plug-ins were purchased over the past six months by the same actor with the explicit goal of backdooring them. The malicious code that was added by the new owner pulls spam content from a third-party server and displays it to visitors and search engine crawlers.

This practice is known as Search Engine Optimization (SEO) spam and its goal is to artificially inflate the search ranking of certain pages by injecting links to them into other websites without authorization.

The backdoor code in two of the plug-ins contact the same content server and information obtained by the Wordfence researchers suggests that all three plug-ins were bought by a U.K. company called Orb Online from the U.K. that describes itself as a “digital marketing agency, specializing in SEO, eCommerce and Magento web development.”

Last week, Wordfence discovered a different WordPress plug-in that had been backdoored after being sold by its original author. In that case, the rogue code opened unauthorized administrative access to websites that had the plug-in installed. And it wasn’t the first time when this kind of compromise hit WordPress users.

With hackers increasingly abusing the trust between users and their software providers, it becomes hard for companies to detect compromises. Preventing such attacks requires strong software control policies, reviewing and approving software updates and maintaining a software bill of materials for applications developed in-house.

Advertisers Use Hidden Login Forms to Discover Users’ Identities

Some advertising and Web analytics firms exploit a known privacy weakness in the password managers built into browsers to discover the usernames of anonymous visitors.

Researchers from Princeton’s Center for Information Technology Policy found tracking scripts on 1,110 websites from the Alexa top 1 million list that inject hidden login forms into pages in order to trick browsers into exposing usernames.

This is a known privacy leak that results from password managers built into browsers automatically filling in usernames and passwords saved by users for known websites. Hackers have been using hidden forms to extract such data with cross-site scripting attacks in the past.

For advertisers, associating a visitor who’s not logged in with an email address that’s typically used as a username, can be valuable and can be used for tracking.

“Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier,” the Princeton researchers said in a blog post. “A user’s email address will almost never change—clearing cookies, using private browsing mode, or switching devices won’t prevent tracking. The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps. It can also serve as a link between browsing history profiles before and after cookie clears.”

Until browser vendors decide to address this issue in some way, it’s probably best for users to avoid using the built-in password managers, and disable the autofill option in third-party solutions. To protect their users, website owners can put their login forms on a separate subdomain, which will prevent autofill on non-login pages.

Featured eBook
7 Reasons Why CISOs Should Care About DevSecOps

7 Reasons Why CISOs Should Care About DevSecOps

DevOps is no longer an experimental phenomenon or bleeding edge way of delivering software. It’s now accepted as a gold standard for delivering software. It’s time for CISOs to stop fearing DevOps and start recognizing that by embedding security into the process they’re setting themselves up for huge potential upsides. Download this eBook to learn ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

2 thoughts on “Backdoors Found in Three More WordPress Plug-ins

Comments are closed.