X
Business

WordPress malware: Don't let too-good-to-be-true deals infest your site

Sometimes you can smell when it's not going to end well. It started with a routine email message in my inbox. But after reading the first few words, I could tell this was going to be one of those.
Written by David Gewirtz, Senior Contributing Editor
sucuri-sitecheck.jpg

Sometimes you can smell when it's not going to end well. It's almost like there's a taste in the air. It started with a routine email message in my inbox. But after reading the first few words, I knew this was going to be one of those.

Here's how it started: "We bought the seamless donation plugin for our website..."

Let's start with a quick bit of back story for those of you who haven't been following along. A few months ago, I adopted a WordPress plugin, Seamless Donations, as my new side project. Seamless Donations helps nonprofits accept donations, and it's got just about 68,000 organizations depending on it to help them do good things for the world.

Helping users of the plugin and keeping it up to date is a good thing to do and it also helps keep my programming chops up to date. It's a win-win. It's also free, available for download from the central WordPress.org plugin repository. There should be no "We bought" in the email I got from the user.

Unfortunately, there are some real schmucks on this planet, and as soon as I read this guy's note, I had a feeling he had been a victim of one of them.

A few weeks ago, I wrote WordPress: is it safe to use for my websites? In it, I explained how WordPress (which runs about 23% of the world's websites) can be very safe - if site operators use best practice. These include things like making sure the WordPress core, plugins, and themes are kept up-to-date, and making sure to download and buy from reputable sources.

Ah, here's where things get dangerous. You see, malware purveyors out there have figured out that if WordPress runs about a quarter of the Web, if they can get malware installed on some of those websites, when a visitor visits the website, that visitor can be easily infected with malware, especially if the visitor's browser and computer haven't been kept up to date.

What these malware purveyors have done is turn unsuspecting website operators into a distribution channel of their slimy crap.

It works in one of two ways. The first is the one I've seen more often. A malware scumbag will buy (usually using a stolen credit card number) a legitimate copy of a moderately pricey plugin. Said scumbag will download that product, dig into its code, remove the registration information that calls back home for approval, and instead, embed malware. This turns what was once a popular piece of software into a time bomb with a payload.

It gets worse. The malware makers then go and set up online shops where they advertise steep discounts on the software they've stolen and hacked. Don't want to spend a hundred bucks on ThemeSwamp's popular real estate theme? No problem. You can buy it from ScumShack for $9.95 with free lifetime updates.

Naive bargain-hunters fall for this all the time. So now they've not only bought a theme with a malware payload, they've given their credit card information to the bastards at the same time. And then, when they use that theme or plugin, they're infecting all their visitors. Special.

The other variant, the one my user seems to have fallen for, is the one where popular free plugins (like the one I support) are downloaded by these same malicious merchants of maleficent malware and then posted on their stores and then sold.

In this case, naive site operators (who may not know to go to the WordPress.org plugin repository, but are just Googling their way to their doom) are giving money (and, again, their credit card and identity information) to the bad guys when they could have actually gotten it for free.

As soon as Hapless Dude told me he'd bought the plugin, I pasted the URL of his website into Sucuri's malware scanner and wouldn't you just know it? Infected. Even worse, this guy had also been blacklisted, so people finding his site on Google and using other resources would actually be warned away from the site -- meaning what little Google Juice this guy might have had is now long gone.

This should all serve as a cautionary tale. When things seem too good to be true, they probably are. Also, you should do your research. If you're downloading a plugin or a theme, start with WordPress.org. Visit the vendors' sites for pro versions or extensions directly from the links off the base plugin's page on the repository.

If you want to use a resource that's not directly available from the repository, first research the vendor and then buy from that vendor. You can use discount codes (they are plentiful in the WordPress world), but use them only on the original vendor's site.

Once again, WordPress can be safe... as long as you're not foolish. In the immortal words of Sergeant Phil Esterhaus, "Let's all be careful out there."

By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.

Editorial standards