Hide Your Website; Popular WordPress Plug-in Goes Bad

WordPress is a mammoth of CMS platform. You have full reign to play around with the code structure and create just about anything you can imagine. The use of plug-ins takes this functionality further as you can make use of extensions made by other people, who really know the ins and outs of WordPress coding, without the need to actually know any coding. However, this isn’t always safe. There have been numerous cases where a popular and innocent looking plug-in or third party extension file contains some sort of malicious code that can cause all sorts of damage to your WordPress site. These could be free value plug-ins or even ones from legitimate developers accounts (which have either been hijacked or bought off, of course). One such case that surfaced recently is of a plug-in called “Custom Content Type Manager” that installs a backdoor through which it alters core WordPress files in an attempt to log and steal user credentials from infected sites.

“Custom Content Type Manager (CCTM)”, is a popular plugin that was made available around three years ago and currently has 10,000+ active installs, and a satisfaction rating of 4.8. It’s focus is to help create custom post types, should the standard WordPress experience be somewhat bland for you. However, the plug-in had been inactive for ten months prior to its latest update, research of which shows that the plug-in has now changed owners, and is currently under the possession of a developer called “wooranker”. You can read about how Sucuri Security, a leading security solution provider for WordPress sites, identified and reconstructed the attack here.  

The changes made to the code included an auto-update.php file, which included the ability to download files from a remote server on the infected website, as well as a “CCTM_Communicator.php” file which pinged wooranker’s server whenever a new site was infected. These alterations made sure that the hacker was able to control user login, creation and edit commands, intercepting user data before being encrypted and send the user’s passwords to the hacker’s’ server. Along with this, wp-options.php created an admin account on the infected website, with the credentials support / support.co@wordpresscorem. What does this mean? It means that no matter what the scenario or precautions taken by the users, wooranker would always have an admin account on the infected site and would have access of whatever passwords would be used when accessing the said sites. What’s more baffling is that the hacker even included his own set of JavaScript analytics code, loaded via the CCTM plugin as a fake jQuery version, just in case the “CCTM_Communicator.php” file had problems reporting on infected websites. As can be read in the link provided above, Sucuri Security was able to trace the domains used in this attack to a “Vishnudath Mangilipudi”, who happens to be a developer from Andhra Pradesh, India. There is of course contention that Mr. Vishnudath Mangilipudi is not the culprit, but himself a victim of stolen identity, but nothing is certain as of yet.

Given the popularity of this plug-in, there is no doubt that hundreds of sites have been affected when they unwittingly updated the plug-in as was sent out by wooranker. WordPress admins with this plug-in are advised to remove it immediately, or downgrade to version 0.9.8.6 (which is considered to be the last safe and stable version) if the CCTM plug-in is imperative for the site.

[xyz-ihs snippet=”add-post-end-728×90″]

[et_bloom_locked optin_id=optin_7][/et_bloom_locked]