Hackers Are Exploiting WordPress Themes, Plugins to Hawk Scams

Photo shows a magnifying glass over a screen with computer code.

Thousands of WordPress sites have been hacked via known vulnerabilities in recent months, according to security firm Sucuri.
Photo: Jack Guez/AFP (Getty Images)

If you’ve visited a website in recent days and been randomly redirected to the same pages with sketchy “resources” or unwanted ads, it’s likely the site in question was 1) built with WordPress tools and 2) hacked.

Researchers at Sucuri, a security provider owned by GoDaddy, revealed on Wednesday that the hackers behind a months-long campaign focused on injecting malicious scripts into WordPress themes and plugins with known security holes were at work yet again.

It’s important to note that these hacks are related to themes and plugins built by thousands of third-party developers using the open source WordPress software, not WordPress.com, which offers hosting and tools to build websites. Automattic, WordPress.com’s parent company, is a major contributor to the software but does not own it.

According to Sucuri, there are 322 WordPress sites with plugins and themes that have been affected by this new exploit, although the “actual number of impacted websites is likely much higher.”

In April alone, hackers used this tactic to infect nearly 6,000 sites, Sucuri malware analyst Krasimir Konov stated.

Sucuri noticed the hackers’ intrusions this past Monday while investigating WordPress sites that complained of unwanted redirects. All of the websites shared a common issue, Konov explained; they contained a malicious JavaScript hidden in their files and databases.

The JavaScript creates redirects that lead users to a range of poisoned apples, including phishing pages and malware, the researcher explained. Worst of all, visitors might not even notice they’re going down the internet’s version of a dark and dangerous alley, as the redirect landing page looks fairly innocent.

“This page tricks unsuspecting users into subscribing to push notifications from the malicious site. If they click on the fake CAPTCHA, they’ll be opted in to receive…