Industry Updates

Display Widgets WordPress Plugin Gives Hackers Access

WordPress is the most popular CMS on the planet. It has been the reigning king of websites for years, and all indications are that it will continue to be so. Unfortunately, there’s trouble brewing in the kingdom.

If you used WordPress to build your company’s site, then you undoubtedly know that you can extend and expand the CMS’s basic functionality via third-party plugins. These plugins can literally do anything you can imagine.

Want to sell products on your website? There are plugins that allow you to do that.

Want to set up a full-service online support center, or create a lively discussion forum and start building a community around your brand? You can do that, too, and a whole lot more.

There is, of course, a catch.

The more third-party plugins you use, the more likely it is that one of them contains malicious code. The WordPress.org development team keeps a watchful eye on all the plugins created in support of their CMS. In general, they do a good job of rooting out problematic plugins, but once in a while, something falls through the cracks.

Case and point: the “Display Widgets” plugin. Originally developed by Stephanie Wells, the plugin garnered a small but loyal following of some 200,000 users. Unfortunately, Ms. Wells lacked the time to properly support it, and sold the plugin to another company.

That’s when the trouble started.

With the very first update the new owners released (version 2.6.0), security researchers noticed malicious activity stemming from a new php file called “geolocation.php.” The code contained in this new file was collecting user data including IP addresses and user-agent strings and sending the data to a third-party server.

When WordPress was notified, they promptly took the plugin down.

The developer made a few changes and resubmitted it, gaining approval, but the malicious code was found to still be present – simply more cleverly hidden.

The plugin was again taken down, but the new owners were undaunted.

In all, they played four rounds of this game with WordPress, before the WP moderators took direct control over the code and banished it for good.

Although the company has made a clean version of the plugin available to those who are using it, there’s no way to tell how many of its 200,000+ users have updated to the latest version. If your company is using the plugin “Display Widgets,” be sure you’re running version 2.7.0, released by the WordPress.org team, which is verified clean.