How Gravityscan Helps Protect Against WordPress Supply Chain Attacks
Over the last few months, Defiant researchers have discovered a number of supply chain attacks via plugins found in the WordPress repository. These attacks have affected hundreds of thousands of WordPress sites. Owners of WordPress and potentially other open source CMS-driven sites have an increasingly challenging job monitoring their site’s security. Here’s how Gravityscan can help you protect your site.
Recent Supply Chain Attacks Targeting WordPress
In the software industry, a supply chain attack exploits a trusted relationship between software vendors or authors and their customers. For WordPress, that means figuring out how to embed malware into software updates, most commonly via an update to an already installed plugin.
In practical terms, it means a site owner may unknowingly introduce malware into their site’s code by simply keeping their plugins up to date.
WordPress is a huge target, running nearly 30% of all websites. Some of the recent plugin supply chain attacks we’ve seen have included:
- Backdoor and SEO Spam in Duplicate Page and Post
- Backdoor and SEO Spam in No Follow All External Links
- Backdoor and SEO Spam in WP No External Links
- Backdoor in a Captcha plugin active on over 300,000 websites
- Cryptocurrency mining by a plugin author using site visitors’ CPU resources
- A 4.5 year SEO spam campaign impacting nine plugins
These supply chain attacks appear to have been very profitable to the criminal actors who initiated them. Our prediction is that these types of malicious attacks, due to the ease of the attacks and their profitability for the attacker, will continue to increase throughout 2018.
Why Protecting Your Site Is Your Responsibility
Whether you’re hiring a developer to develop a site from scratch, downloading a popular plugin from the WordPress repository, or purchasing a plugin from a plugin marketplace, your site’s security is in your hands. Every time you install software from a new person or organization on your site, your risk goes up. Making sure the new author is someone you can trust is ultimately your responsibility.
The WordPress plugin repository team is very dedicated, but they currently manage over 50,000 freely available plugins. Exclusively relying on this team to guarantee your site’s safety is neither realistic nor possible. Just because you’ve paid for a plugin doesn’t mean it is problem-free either, as we’ve also seen backdoors and vulnerabilities in popular paid plugins.
While tools like Gravityscan will alert you to problems with your site, acting on the information provided is solely your responsibility.
How Gravityscan Helps You Protect Your Site
If you’re using Gravityscan to monitor your sites, you’ll receive an alert if you’re running a version of a plugin that has been taken over by an attacker. The alert will look like the following:
As a second layer of defense, Gravityscan will also alert you to the presence of any malicious links or backdoors as soon as they’re discovered. You may get an SEO spam alert prior to anyone knowing that the plugin is compromised. If your site is compromised and a malicious backdoor or other content is placed on your site, you’ll be alerted immediately.
Blacklist checks act as a third layer of defense, letting you know immediately if your domain or IP address has been added to one of over 20 blacklists.
How Gravityscan and Wordfence Work Together
The volume of malicious activity we’ve seen in the last few months requires a multipronged defense to protect your online reputation. From brute-force attacks to supply chain attacks, WordPress is a big target. Supply chain attacks are especially tricky, as the criminal actor is convincing you to install the malware for them, bypassing all of your other security measures.
Defending against these new threats makes a tool like Gravityscan a critical component of layered security strategy. Using both an endpoint firewall and WordPress malware scanner like Wordfence and Gravityscan together maximizes the information you have available to make informed decisions and prevail against increasingly clever attackers.
- Use both Wordfence (if you’re on WordPress) as well as Gravityscan. Set both to scan daily.
- Remove any plugins or themes you’re not actively using. If Wordfence alerts that a plugin has been removed from the WordPress repository, look into the reasons why and consider removing the plugin from your site.
- Keep your plugins updated, but read the change log for the plugin prior to updating.
- Know your developers. Stick with trusted developers and watch for any change in ownership for your primary plugins.
- Subscribe to our newsletter and follow our blog. As new vulnerabilities and attacks are discovered, we’ll not only develop a method to protect you (e.g., a new alert in Gravityscan or a new firewall rule in Wordfence), we’ll also let you know in detail what we’ve found.