WordPress has a major vulnerability… again. Not something that us developers who use WordPress daily like to hear. Especially when the hacking vulnerability is contained in the WordPress core. And for those who use a certain plugin (Easy WP SMTP), we got a twofer this week: direct server access for hackers who targeted sites with it installed.
Personally, we’ve been dealing with the ramifications of these hacks all week. We’ve had at least a dozen client WordPress websites affected. The result was always the same: injected code into core WordPress files, theme files, plugins files, and even upload folder files.
WordPress 5.1 CSRF Hacking
Many developers have expressed concern over the complete lack of cross-site scripting protection in WordPress. The WordPress.org team has been hesitant to patch this major security flaw because of WordPress’ core feature of blogging, fearing it would limit and break built-in features like Trackbacks and Pingbacks. Honestly, these features have never served a purpose for us in our 10+ years using WordPress and implementing it on over 100 websites, so I don’t quite understand the tradeoff.
Simon Scannell of RIPS Tech was credited by WordPress in the recent 5.1.1 WordPress release (that patches this issue) for finding and reporting to the WP.org team the issue.
Essentially, a malicious hacker was able to target the platform by injecting code via comments that would lure a WordPress administrator to their site, which caused code to execute via Remote Code Execution, and the target site is then fully controlled with administrative abilities by the bad actor.
The fix is simple: update to WordPress 5.1.1. As a precaution, if you don’t use commenting, be sure to disable the feature under WordPress Settings -> Discussion.
Easy WP SMTP Hack
A very popular plugin on WordPress, Easy WP SMTP, was also identified as a a security vulnerability this week. For us at Ideas and Pixels, this offense was far more severe. Out of the dozen or so hacks we faced this week, this one was the culprit for 80% of them. A new feature added recently in version 1.3.9 that added Export/Import functionality to the plugin was at issue here. Although the specifics are unknown in terms of exactly what hackers were doing with this functionality to gain access to the admin dashboard, it was clearly an egregious issue, as almost every client site of ours that had it installed ended up affected.
The developer promises that upgrading to 18.104.22.168 fixes this security hole, but it may be worth just dumping the plugin altogether and using a competitor without a history of such issues. For what it’s worth, we’ve used this plugin for years without issue, until this week.
The fix for a hack resulting from this exploit is to comb your WordPress installation for all recent file changes. We ended up going into the server command line console and doing a “find” command piped with other functions to see every changed file. Once the injected code was removed, the sites functioned as normal again. We immediately made both upgrades (WordPress core and Easy WP SMTP). The sites have been stable for a few days since.
We did find that two of our sites had seen their “siteurl” option changed to a nefarious URL. The fix for this was simply editing the database table “wp_options” and changing that record back to your real website URL.