WordPress Security Breach Used Vulnerabilities in Plugins in Themes

BY Bigger Law Firm Magazine

Security vulnerability infected websites
  • Over 1 million sites have been affected by the Balada Injector since 2017.
  • The malware allows attackers to generate fake WordPress admin users.
  •  The report underscores the importance of keeping plugins and themes updated.


Over one million WordPress websites have been infected by a malware campaign called Balada Injector since 2017, according to cybersecurity firm GoDaddy's Sucuri. The attackers behind the campaign use all known and recently discovered vulnerabilities in WordPress themes and plugins to breach sites. They typically play out their attacks in waves once every few weeks, making them difficult to detect. The Balada Injector campaign is characterized by its use of String.fromCharCode obfuscation, freshly registered domain names that host malicious scripts on random subdomains, and redirects to various scam sites.

The malware allows attackers to generate fake WordPress admin users, harvest data stored on hosts, and leave backdoors for persistent access. It also carries out broad searches from top-level directories associated with the compromised website's file system to locate writable directories that belong to other sites. In this manner, just one compromised site can potentially grant access to several other sites for free.

WordPress users are recommended to keep their website software up-to-date, remove unused plugins and themes, and use strong WordPress admin passwords. If these attack pathways are unavailable, attackers brute-force the admin password using a set of 74 predefined credentials.

These findings come on the heels of a similar malicious JavaScript injection campaign that redirects site visitors to adware and scam pages. Over 51,000 websites have been affected since 2022. The campaign also employs String.fromCharCode as an obfuscation technique, leading victims to booby-trapped pages that trick them into enabling push notifications by masquerading as a fake CAPTCHA check to serve deceptive content.

The lesson here is clear: law firms must keep their WordPress plugins up-to-date and ensure their website is protected against these types of attacks. This includes using strong passwords, removing unused plugins and themes, and regularly backing up site data.

Bigger Law Firm Magazine

Bigger Law Firm Magazine has been helping law firms grow since 2011. We regularly publish helpful insights from industry professionals to help legal marketing directors, firm administrators, and lawyers build bigger and more efficient law firms.


Law Firm Marketing Director

What Makes a Great Law Firm Marketing Director?

In an ever-changing legal landscape, an exceptional Law Firm Marketing Director stays ahead of the curve. They adopt a visionary perspective to navigate through intricate legal landscapes and drive the firm’s marketing initiatives. This involves identifying market trends, predicting client needs, and planning innovative marketing strategies to secure a competitive edge.

Writing press releases for law firms

How Law Firms Can Effectively Use Press Releases

Press releases allow law firms to share their successes, announce new hires or promotions, and position themselves as thought leaders in their respective practice areas. In this article, I will share best practices for writing a great title, writing a great summary, and telling your story in a meaningful way, as well as provide scenarios…

Fluff Content AI Articles for Law Firms

Google’s John Mueller Warns Fluff Content Can Harm Your Law Firm’s Whole Site

By heeding John Mueller’s warning and focusing on producing valuable, informative content for your audience, you can avoid the pitfalls of fluff content and improve your website’s overall search engine performance.