Skip to content

Description:

Researchers at Sucuri have published a blog detailing their recent observations of attackers using an outdated and insecure WordPress plugin to create a backdoor into compromised websites. The plugin, EvalPHP, allows for PHP code to be used in WordPress sites, allowing site admins to create code that can run anytime a user opens a web page. EvalPHP has not been updated since 2012 and until recently saw very few (if any) downloads.

However, beginning March 29th, Sucuri researchers noticed that the plugin had seen a resurgence and was seeing downloads spike to over 7,000 a day.  

The EvalPHP plugin has seen an unexpected download spike over the past month. Source: https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html

This spike has not been caused by legitimate web developers using an outdated plugin. Instead, hackers are using a vulnerability that allows for the creation of backdoors to an already compromised website.

To carry out this attack, the threat actors need access to the WordPress administrator panel of the website. By default, a website’s WordPress admin login page is publicly available to access, leaving it vulnerable to brute force attacks. Websites that use default, weak, or easily guessable credentials could be compromised without the website owner ever knowing.

With admin access to a site, the attackers can make changes to the website as they please – including downloading plugins. As the Sucuri researchers have seen, attackers have now started using vulnerable plugins to allow for easy, repeated access to the site, even if the administrator credentials are changed, or multi-factor authentication is added to the site.

With EvalPHP, attackers have been seen injecting malicious PHP code into the website’s database and creating a simple test page hidden from the rest of the website. This page will have the malicious EvalPHP code within it, allowing attackers to log in as administrators whenever they visit the site.

With such high-level access to a site, attackers can use it for their own purposes, such as spreading malware, hosting phishing attack landing sites, and bypassing firewalls in other attacks.

Preventions:

To protect your WordPress website from this attack, it is important to first protect your administrator account from becoming compromised. Some of the following steps outline how to do this:

  • Use strong, unique passwords for your administrator user, such as using the three random words method recommended by the NCSC.
  • Use multi-factor authentication, which can be easily set up on WordPress websites. Steps to do so can be found in this WordPress article.
  • Limit login attempts to prevent brute-force attacks on your site.
  • Use CAPTCHA to ensure logins are only made by humans and not bots! Brute force attacks are typically automated, so CAPTCHA can help prevent these attacks almost entirely.

In addition to protecting your administrator panel from becoming compromised, Sucuri researchers recommend the following protections to consider:

  • Keep your website patched and updated with the latest security releases to prevent attackers from using vulnerabilities to access your website.
  • Use a web application firewall to block known malicious attacks.
  • Regularly backup your site
  • Review the users and pages on your site to ensure there aren’t any that hackers have created.

Related Links: