Be careful installing WordPress plugins

Today we detected that one of our customers had installed a WordPress plugin on his blog that did something malicious: when the plugin was activated, it sent a stranger an e-mail message allowing full administrator access to the blog.

How did this happen? Well, our customer simply searched the WordPress plugin directory for “Contact Form”, saw the popular “Contact Form 7” plugin listed, then clicked “Install Now”. That all sounds reasonable.

Unfortunately, what he installed wasn’t the real Contact Form 7 plugin. Instead, it was a malicious copy of that plugin that contains extra files designed to give attackers full access to a blog. The malicious copy ranks higher than the real copy in the search results. (Hopefully the link to the malicious copy will stop working soon; we’ve notified the WordPress folks about this.)

The lesson here is “be careful what you install”. The WordPress Plugin Directory is not guaranteed to be safe, and WordPress plugins are no different than any other scripts you put on your site. While we can’t suggest a way to guarantee that a plugin is safe, be wary of plugins that have been recently updated, or that don’t have large numbers of downloads. If you’re not confident about it, do a separate Internet search for the name of the plugin. You’ll find the real home page for it, and that page will have a link to the real plugin page you should use.

The WordPress Plugin Directory site could be improved to offer some protection against this problem, too. A few “off the top of our head” suggestions:

  • The site should flag newly created plugins. Something on the page should indicate that the malicious “contact-form-73” plugin is only a few days old.
  • The site should allow authors to prove they own a plugin. In this case, the malicious plugin says “Author: takayukister”, but that’s the author of the real plugin, who almost certainly didn’t upload this one. WordPress has that author’s e-mail address on file and should send a message to verify that he really uploaded it. Plugins from newly created authors should also be flagged.
  • Two plugins with the same human-readable name should not be allowed in the directory.
  • Newly created plugins with a small number of downloads should not appear in the results before long-established plugins with millions of downloads, because people choose the first thing they see with a reasonable name.
  • The plugin directory needs a way for people to flag malicious plugins. I posted on the WordPress support forums and sent a message to the recommended plugins@wordpress.org address more than three hours ago, but it’s still there, and dozens of people have downloaded it since then.

Ultimately, though, it’s up to you to be careful about what you install. Be skeptical. Some people on the Internet really are out to get you.

7 Comments

  1. This is great info, and alarming to think of how many plugins I’ve tried without thinking. Thank you so much for the warning!

  2. You’re welcome! We hope it helps some people avoid having problems. Hopefully the WordPress folks will implement some improvements to help prevent these problems in the future, as well.

  3. thanks for this warning, I thought the owner of wordpress or to be correct one of the main developers and visioneries of wordpress said after they released version 3 and its been now over a year since that, that they would take 3 months and improve the plugin area of wodpress.org site to make it easier, safer etc… They should definitly have implemented some of the things you listed there, I wonder how much time they really spent on improving plugins area, it doesnt seem like they invested 3 months as he said in video presentation they planned to do.

  4. Very informative post, for me and no doubt many other WordPress users. I particularly appreciated the explanation (on your post to the WordPress forum) of how the script was designed to gain admin access to the victim site.

    It looks as if you able to detect the malware before it did any damage. Yes? If so, how?

    From my own experience of how promptly Tiger Tech responds to even minor problems I have had, I would be confident you would take constructive action if I found some attacker had locked me out of my own site.

    There are ways of preventing that kind of awful scenario. Your points about how users should go about acquiring software from the web and how WordPress could tight up security were also worth bearing in mind.

  5. Nogiku wrote:

    >It looks as if you able to detect the malware before it did any damage. Yes? If so, how?

    Ah, good question!

    One form of site protection is stopping attacks we’ve seen before, or that we can anticipate, and we do lots of that. For example, if someone starts submitting lots of login attempts to the WordPress “login.php” script, we automatically block that. (That’s a simple example. One of the advantages of having been in this business for more than a decade now is that we’ve seen a lot; we protect you against all kinds of really weird things.)

    Novel attacks like this one are different. There’s no way to block them in advance, but we’d like to catch them when they happen, so we’ve created a monitoring system that watches sites for behavior that might (or might not) indicate something malicious is happening.

    Two examples are sites that start sending mail from scripts that didn’t previously do so, and PHP scripts that start to download files from remote servers. We flag some things like this for humans to review.

    Most of what the system brings to our attention isn’t malicious. But in the other direction, you’d be surprised by how much maliciousness does get flagged! In particular, the remote file downloading check seems to catch the majority of PHP attacks where an attacker is able to run code on a customer site, allowing us to immediately shut it down before more damage is done.

    In this case, the monitoring system noticed a PHP script sending unusual mail, so we looked at the source code for it and found the problem immediately.

    >From my own experience of how promptly Tiger Tech responds to even minor problems I have had, I would be confident you would take constructive action if I found some attacker had locked me out of my own site.

    Yep, we definitely try to go “above and beyond” to help people in situations like that. It’s an important part of what people rely on us for.

  6. FYI- This malicious copy described may have been removed, but another one has taken it’s place. I installed Contact Form 7 on my WordPress site and it has decided to randomly attack a user’s computer that clicks “send.” I’ve deleted all the files for the plugin but now what?

  7. Sara wrote:

    >FYI- This malicious copy described may have been removed, but another
    >one has taken it’s place. I installed Contact Form 7 on my WordPress
    >site and it has decided to randomly attack a user’s computer that
    >clicks “send.”

    Yikes. We’ve never heard of anything like that before. If your site was hosted with our company, we could take a look at the code for you, but since it’s not, you should contact your hosting company — they should be able to help.