WordPress Malware

WordPress Malware

Hacked Website - How does it happen?

How serious are the WordPress Malware Attacks?

According to the WordCamp site, there are currently over 75 million sites that use WordPress. While no one actually has the actual number of attacks. The WordFence plugin has been downloaded over 180 million times and protects 4 million WordPress websites.

WordFence reported their customers experience 2800 malicious login attempts per second. WordFence analysis accounts for a very small portion of the WordPress user base.

If malicious attacks rates are consistent. The WordPress platform could easily have 50,000 attacks per-second.


The likelihood of the attacks being consistent is slim. Hackers are smart people. They know that attacking a WordPress site without Security is easier to access than one with Security. Attacks on systems without security is more prevalent.

Website Hacker“2,800 malicious login attempts per second against WordFence customers” – WordFence

Your Friend Got Your Site Hacked

2021 WordPress Hacks

Shared Hosting Vulnerability 

FINALLY – Sucuri has reported (what I have been telling my clients for years). Shared Hosting requires that all sites are up-to-date. Hackers are able to access a website via the cPanel by first accessing a known vulnerable site on the cPanel hosting. 

For more information on Share Hosting Infections read – Trojan Spyware and Bec Attacks (if you are not techinal jump to the article conclusion).


Shared Hosting Hack

Keep All Sites Current to Avoid Shared Hosting Hack.

2021 WordPress Plugin Attacks

Are you using any of the following plugins

It is Time to Update (or remove) Vulnerable WordPress Plugins.

Variation Swatches by Woosuite

Customers Taking Over Your WordPress Site

A plugin that can make your products look better is now letting hackers who have customer permissions inject malicious JavaScript. 

All in One SEO

Wipe Your Entire Site Clean

A critical Authenticated Privilege Escalation bug and a high severity Authenticated SQL Injection. While the attack seems light – if you read begin the lines – you quickly discover that the user privilege can be changed remotely and your entire site can be taken over. 

WP Reset Plugin

Wipe Your Entire Site Clean

Why a developer would leave a reset plugin active on a website is beside me. Once hacked the plugin allows the hacker to wipe the site. Plain and simple. Again, why would this type of plugin be left active on a website? 

When is the last time you did a website backup? 

Hide My WP

When your security is the problem

A plugin dedicated to securing WordPress websites got hit. SQL injection vulnerabiity from IP address retrieved in the SQL query.

OptinMonster plugin

Those Lead Generators may cost you your site

Yes, hackers can access your site via the OptinMonster Plugin to add JavaScript snippets on your website. While the plugin has been updated – the nature of API vulnerability means there  are other weak entery points. 

HashThemes Demo Importer

Reset and Wipe your WordPress website

The subscriber-level user hecker would allow attackers to delete most all of your media files and database content (good reason to always have a backup of your website).

Access Demo Importer plugin

Allow Privileges to Upload to your Server

  • 📰 Server Access (20,000+ websites)

Websites that record information, credit cards, logins, or other types of data are particulary vaulnerable. Letting third parties to ability to “expolit the opening maliciously”.

Like many Developers being able to respond to plugin problems quickly may not be the easiest thing to do. For Access Demo Importer the updates took a few months to happen. Their plugin was removed by the managerment system administrators due to difficulty contacting the developers.

Download Monitor Plugin introduces new Malware strain

Uses known WordPress Vulnerabilities by gaining access with weak administractive credentials

New Capoar malware written in Golang programming lauguage. Preforming a remote code execution to your server.

The new malware arrived via a backdoor linked to aWordpress plugin.

Capoae installs the Monera Cryptocurrency miner.

Frontend File Manage plugin

WordPress File Management – Riddled with Critical Bugs

Adding a File Management app to your website is not recommended. Leaving it active on your WordPress site can lead to some serious issues, such as deleting all the files and causing trouble with hosting. It just means you’re exposing core installation information and giving everyone who knows how free rein of everything stored on your server. 

Adding a file management plugin has no benefits for websites. Use FTP / SFTP access to manage your server files. 

SEOPress WordPress plugin

Any User can take over Post Titles

Attacker can take the full-use of the site over. With malicious web scripts. 

All users should update the SEOPress WordPress plugin. 

WP User Avatars plugin
  • 📰 Vulnerable Plugin Exploited in Spam Redirect (30,000 websites)

Uploading a Backdoor to your website

Yes, this malware attack begins by adding backdoor access to your website. The hacker then installs bogus font plugins to your site that result in redirecting your site visitors to a spam site. 

In the background, the hacker creates a connction with your database and gains access to your administrator users information. And then the clever part of this take over is that the Admin user is exempt from the redirect – keeping the take over hidden from the administeator. 

Fancy Product Designer plugin

Zero-day vulnerability

Yes a harker can take over your site if you are using Fancy Product Designer plugin. WordFence were the first to report that hackes could take over a site using Frany Product Designer plugin.

As a developer and designer – I don’t know why anyone would use the Fancy Product Designer plugin. WooCommence is a top heavy resource sucker – no matter you cache it. WooCommence does require an arsenal of companion plugins (shipping rates, shipping labels, custom orders, coupons, colors, abandoned cart – seriously the list goes on).

Why you would want to add another one-function plugin to a WooCommence enviroment really puts the developer at question (quailty is a choice – you may wanna fire that developer).

Facebook for WordPress Plugin

Two critical severity flaws in Facebook for WordPress (formerly Facebook Pixel). The first flaw allowed hackers to achieve remote code execution.

The second flaw simply had to trick the admin user to click a link and the hackers could inject malicious code into the site.

jQuery Migrate Plugin

The full scale of attack remains undetermined. By injecting Scripts hackers can skim credit card info. And, redirect users to fake sites.

Users were redirected to fake sites. And, prompted to confirm they were not a robot. As of March 2021, the malicious file is undetected by 90% of antivirus engines.

Elementor Plugin

Compromise the admin accounts. Then using the site to install malicious plugin wpstaff.

4/17/21 – 15 Elementer plugins with over 100 vulnerable endpoints. Allows for “cross-site scripting or malicious JavaScript“. 

Orbit Fox Plugin

Inject malicious code into vulnerable website. And take over the website. 

Popup Builder Plugin

Attackers send out newsletter with their own custom content. Followed by deleting your entire contact list. Let Mailchimp handle your newsletter services. 

123ContactForms Plugin
  • 📰 123contactform (3K installs)

Sucuri reported the 123ContactForms hack. Attackers are able to use software flaws to create their own posts. And, easily add malicious files to the website.

Contact Form 7 Plugin

Stored cross-site scripting (xss) security bug. 

Ninja Forms Plugin

Critical security Flaws January 2021 & June 2020. 

BUG 1: Authenticated Email Hijacking Account Takeover.

Bug 2: Authenticated OAuth Connection Key Disclosure.

Low-level users able to trigger and retrieve client_id for established OAuth connections.

Attacker with subscriber-level access (the lowest access available to WordPress users). 

Bug 3: Cross-Site Request Forgery to OAuth Service Disconnection.

Attackers could disconnect OAuth connections. Establish a connection with the Ninja Form dashboard – and read mail.

Bug 4: Administrator Open Redirect.

Attacker redirects the admin user to malicious site. And, infecting the admin’s computer with malware.

2020 WordPress Plugin Attacks

Easy WP SMTP Plugin

Hackers were able to identify admin users. Followed by a password reset. Locking the admin user out. And, giving the hacker full control to all site functions and user accounts.

Loginizer Plugin

WordPress developers categorized the security issues affecting the plugin and one-of-the-worst.

WordPress developers pushed an automatic update to all users (even those that had the plugin disabled).

The forced update was the first indicator that WordPress has the ability to automatically update everyone’s plugins – even when they are not active.

NextGEN Gallery Plugin

Here are articles to learn more about the NextGen Plugin hack.


Over 530,000 sites are still exposed to attackers. Yes, NextGen Gallery got hit by another hacker. This time, using Remote Code Execution to effectively take over the WordPress site.

NextGEN Gallery acted quickly to provide a patch for the hack. A few days after the release only a small portion of the GalleryGen Gallery plugin had updated to the safe version of the plugin. Leaving more than 530,000 potentially exposed to takeover attacks.

In 2017, NextGen Gallery was attacked with a SQL injection.  Allowing hackers access to the website database. Including sensitive user information.

Ninja Forms Plugin

Threat Intelligence team reported a XSS flaw in Ninja Forms. The plugin flaw let attackers replace contact forms with a malicious form.

Learn More About WordPress

Read my most recent WordPress Blogs.

Read my blog to learn more about The Impact of Using WordPress Plugins

Article Updates

  • 2/18/21 – Second NextGEN Gallery WordPress plugin article link added to blog post..
  • 2/25/21 – Second Ninja Forms WordPress Plugin hacked added to blog post.
  • 3/3/21 – Updated Ninja Forms Bug 3.
  • 3/16/21 – Page Layout Redesign. More information at the bottom of page added to blog post..
  • 3/16/21 – New listing. Contact Form 7, Elementor, Popup Builder, and Orbit Fox added to blog post.
  • 4/8/21 – jQuery Migrate plugin added to blog post.
  • 9/8/21  – Frontend File Manager plugin added to blog post.
  • 10/14/21 – Download Monitor Plugin introduces new Malware strain.
  • 10/14/21 – Access Demo Importer added to blog post. 
  • 11/11/21 – Added HashThemes Demo Importer
WordPress – The Year Ahead

WordPress – The Year Ahead

Year Ahead with WordPress

Minutes – Sandy Mush WordPress Meeting #005
Tuesday, 26th January 2021

Topic – What to expect from WordPress in 2021

  • Gutenberg Blocks – are not going away.
  • Full-site editing in core before the end of the year.
  • WordPress 5.8 (June 2021)

New WordPress Slack Channels 


Friday, January 29th, 2021, at 11AM EST – REGISTER FOR EVENT

Gutenberg Times: All-things about the WordPress Block Editor and Gutenberg plugin in development

Pauli-Haack plans to cover all the latest updates on full-site editing, block-based themes, and global styles. The panel will also touch on the navigation and widget screens, as well as what features will most likely land in WordPress 5.7.

Discussion Topic

MVP – minimum viable product – “a version of a new product which allows teams to collect the maximum amount of validated learning about customers with the least amount of effort. 

MVP Definition

“The ultimate goal of an MVP is learning. Because unless you’re getting valuable insights from the MVP, it doesn’t matter how many engineering hours you spent or how fast you got it to market. It’s not about proving if you can build it or even how, but why customers should even care in the first place.”

📰 https://envato.com/blog/whats-an-mvp-testing-a-minimum-viable-product/ 

MVP Tests

Minimum Viable Product tests that I run for my clients can range from vague AdWords tests to early prototypes.

Run Ads
What is the response. 

Create Landing Pages
Present information to customers. 

Paper Prototypes
Cheap mock ups of products. 


Demonstration Video 

Visual Prototype 

The Impact of WordPress Plugins

The Impact of WordPress Plugins

What is the Impact of WordPress Plugins 

What is the real impact of using plugins to enhance WordPress performance?

The WordPress Plugin library offers an endless depth of enchantments for your WordPress site.  You name it – I am sure there is a plugin or two that can handle your need. It is important to remember that WordPress plugins are developed by Third-party developers (and not the WordPress team). Plugins do adhere to guidelines to help ensure that plugins remain secure and safe for users.

The importance of site speed

Other than the obvious – that people do not like using a slow website.

A slow loading website creates a bad user experience.
And is more prone to errors.

And you do have Google monitoring your site speed while determining your site ranking. Slow websites rank lower than fast loading website.

Impact of WordPress Plugins

With each plugin installed there is an exchange.

Site Speed

Plugins can slow down the loading speed of your WordPress website.



Hackers use plugin vulnerabilities to access your website.

How do plugins impact your website speed?

WordPress PageSpeed Without Plugins Installed

Mobile 98 / Desktop 100

WordPress PageSpeed With 3 Plugins Installed

Mobile 68 / Desktop 79 / Grade F


Mobile 80 / 75 / 84 / 81

Desktop 88 / 87 / 93 / 90

Grade E / F / B / C


Mobile 80 / 91 / 80

Desktop 95 / 87 / 86

Grade B / D / B

(Not Connected)

Mobile 99 / 96 / 99

Desktop 96 / 93 / 95

Grade B / B / B

PageSpeed (Connected)

Mobile 89 / 9o / 97

Desktop 91 / 89

Grade D / A 

The importance of site security

No one wants to interact with your hacked website. End of Story. 

Once your site is hacked – you have no idea to what may be happening to your site, your content, or your end user.

You can only clean up the mess and hope for the best. With the best outcome being that the hack was small and impacted as few users as possible. 

Infections Comparison

WordPress is the most popular CMS to be infected.

2020 = ??%

2019 = 94%

2018 = 90%

2017 = 83%

Plugins that have been hacked

Discount Rules for WooCommence

  • SQL injection
  • Authorization Issues.
  • Unauthenticated stored cross-site scripting.

For more information:


WP Product Review

  • Unauthenticated stored cross-site scripting.

For more information:


File Manager

  • Upload Webshells hidden in an image. 

For more information:


Google Sitekit

  • Hack

For more information:

  • Google Site Kit


What Changes are Hackers Making to Your Website

Redirect Administrator

Locking Admin Out of the Site.

Create New Admin Accounts

Hacker can take over your site.

Inject Backdoors

The most popular hack.
The Inject Backdoor provides the hacker access even after webmaster changes passwords or patched vulnerable software.


Malware can reverse security
(WordPress Malware Disables Security Plugins to Avoid Detection).

SQL injection

Hacker interfere with the queries that an application makes to the database.
Can gain access to passwords, credit card information.
Compromise the underlying server and back-end infrastructure.

Unauthenticated Stored Cross-site Scripting.

Type if injection in which malicious scripts are injected into your website.
Can circumvent origin policy that segregate websites.

Web Shells

Malicious script that is the second step of an attack to maintain persistent access on an already compromised web application.

The Seven Most Popular Attacks