WordPress remains the undisputed king of content management systems. It is the web’s most popular site-building platform, and odds are good that you either have a WordPress site or know someone who does. Legions of businesses use the open source CMS to build business-grade websites with a staggering degree of functionality.
Unfortunately, the immense success and popularity of the platform also makes it a target. Recently, the security firm SiteLock uncovered a nasty plugin based on the popular “WordPress SEO Tools” plugin.
This one is called WP-Base-SEO, and while it does provide some legitimate SEO benefits, it also contains a PHP eval request that hooks into your theme and allows hackers to take complete control over your website. According to Tom Spring this plugin “has infected close to 4,000 WordPress sites in the past two weeks, according to security experts.” We Watch Your Website explains the details of the hack.
Plugins are one of the best things about WordPress. With them, you can give your website virtually any functionality you want. Need an ecommerce platform for your business? A forum? A live chat service? You can do all of that with plugins, and more.
Unfortunately, given that plugins are made by third party vendors, it’s fairly easy for malicious code to find its way into the mix. WordPress doesn’t have extensive checks like the Google Play Store or the iTunes Store, so you don’t have buffer against winding up with a bad plugin.
For now, the best thing you can do is to scan your system for the presence of the plugin named above. If you find it, delete the plugin folder and lay down a fresh install of WordPress to be sure. That will eliminate the threat. Then, it’s simply a matter of checking periodically to ensure that you’ve only got the plugins you absolutely need to make your site function the way you want it to.
SEO plugins are extremely popular, because every business is looking for a way to get a tactical or strategic edge over the competition, which makes this threat all the more troubling.