Wordfence recently tracked down a hacker who used WordPress plugins to get into other people’s websites and publish spam content. The said plugin is called Display Widgets. If you are not on a WP Maintenance Program with us and are monitoring your own website, and have this installed on your site, remove it immediately!!!

The author of the plugin was using it as a backdoor portal to publish spam content to hundreds of thousands of WP websites across the globe. 🙁

The person behind these malicious attacks is an individual named Mason Soizo, who purchased Display Widget for $15,000 from Stephanie Wells, the plugins original author. Within five weeks after purchasing, two versions of Display Widget were released in the repository. The malicious code was found in the second version.

This is a trick that many hackers employ when using this type of attack.

First, they release a safe and stable code in order to get the app approved by the platform that will promote / allow access to it. They then insert the malicious code in the succeeding versions (updated versions). When it first appeared, the malicious code was removed from the repository, but after a few tweaks, it was back with a different code.

Wordfence also discovered there are at least nine plugins linked to Soizo’s scam campaigns. The malicious codes in these plugins are now contained and have been removed from the repository. The status of the plugins now is:

• 404 to 301: Safe
• Display Widgets Plugin: Safe, but no longer maintained
• WP Slimstat: Safe
• WP Maintenance Mode: Safe
• Menu Image: Safe
• NewStatPress: Safe
• Financial Calculator Plugin: Safe. Never included malicious code, but Soiza did have access for some time this year.
• Weptile Image: Removed from repository
• No Comment: Removed from repository

According to Mark Maunder, CEO of Wordfence, Soizo has been dabbling in scam tactics for 4.5 years now. He was adept at covering his tracks over that time as he managed to remain undetected. He used several company names and email addresses under pseudo names – which actually contributed to proving his obvious malicious intent when he was discovered.

On June 15th 2017, Wordfence released a security update. This feature was originally created to alert users if a plugin is removed from the repository due to security issues. This paved the way to recognize the issue with Display Widgets and eventually catch Mason Soiza.

Wordfence points out how important it is to keep an eye on plugins that aren’t up to date. If a plugin has not been updated for years, it’s likely that the author has abandoned it. Never install an outdated plugin as it is likely that it’s not equipped with codes to combat newer security issues.

Website owners need to be on high alert as many sites are already at risk if not maintained. Before you ever install a plugin, check it thoroughly – even contact us first – rather than relying on other people’s reviews and user experience feedback.