I f you have display widgets installed in your WordPress site delete it immediately. According to Wordfence, an internet security company with one of the most popular security plugins for WordPress 200,000 websites are known to be exploited by the authors with a backdoor, malicious code or malware allowing access to your website to publish spam content.
Why Should You Delete The Display Widget Plugin?
The popular plugin is used by about 200,000 websites and in the latest news report by wordfence, it is reported that the last three releases contained a backdoor which allowed spammers to add content to websites without any knowledge of website owners. The battle to remove the display widgets plugin from the repository has been fierce and now that it is removed most website owners are not even aware that they might be at risk.
Even though the plugin was developed legitimately it has changed ownership and this is where the threat started. Wordfence released an update about the full details of what happened and who was responsible in their latest post titled Updates on CyberSecurity, WordPress and
what we’re cooking in the lab today.
In my latest post on securing a WordPress Website titled “5 ways to secure your WordPress site” I stressed the need for updating your WordPress site and this latest event stresses the point even more that it is your responsibility to update and secure your site and perform regular maintenance. So basically how much of threat is Display widgets to your website and what can you do if you do have it installed and after reading this post deleted it?
What Is A Backdoor?
A Backdoor malicious code is a portal that a hacker will use to gain administrative access to enter a system. A backdoor can have many definitions as a legitimate point of access or as files or code added to WordPress files or to allow remote administration and can be difficult to detect.
What Do We Know So Far?
On June 21st the legitimate author of Display Widgets sold the and then updated the new release with a backdoor to publish spam content on websites. Then a few days later there was unusual activity coming from sites that had the plugin installed were reported by users. A week later a new release of the plugin was released containing a file called geolocation.php which went undetected as malicious malware. Once again a new release of the plugin was updated after being reported and contained the same suspicious file which turned out to be a backdoor version 2.6.3. After multiple notifications from wordfence and users, the plugin was finally removed from the repository permanently. Since then many discussions on the subject have been posted as well as comments from the original author and you can read them here.
What Should You Do After You Remove Display Widgets?
It still amazes me how may clients fail to back up their WordPress websites or update their plugins. Even though some hosts do create some backups, time and time again I see this simple maintenance task neglected.
The first thing you should do if after you remove the Display widgets plugin is to restore the website to a previous version where before the plugin was compromised. This would be versions 2.6.1 to version 2.6.3 or before June 21st, 2017. Simply removing the plugin may not be enough since the file geolocation.php as the exploit can reside in the wp-admin folder.
If you have an.XML file export backup of your content and posts you can clone your clean previous version of your website using the Duplicator plugin, copy your website and launch it again on a virtual local machine such as WAMP or XAMPP and re-add your missing fresh content and copy and paste it manually back into your new clean version of your website.
The next step you can take will require some exploration of your WordPress core files. You could install wordfence and run a security scan or use the Securi malware scanner plugin as one method of detection. To search for backdoor files in your site here is a great guide from the authors of wp beginner.
The Wrap Up And Final Thoughts
According to communication between the plugin author who purchased and updated display widgets plugin, it was not their fault. The blame or pointing fingers are not important at this point. What we have learned from this is that plugins especially free plugins can sometimes contain malware code and it takes some time for it to be detected.
This only stresses the topic of securing your WordPress website and having regular backups in case something like this happens and knowing how to restore your site when things go wrong. Make sure you are persistently updating your WP system and plugins and run a security plugin that works best for you to prevent future problems.