WordPress sites hit by malvertising – Naked Security

An old piece of malware is storming the WordPress community, enabling its perpetrators to take control of sites and inject code of their choosing.

According to WordPress security company Wordfence, which published a detailed white paper on the malware earlier this week, WP-VCD isn’t a new piece of malware. It dates back to February 2017, but it has recently become even more successful. The company says that it has topped their list of WordPress malware infections since August this year. New features have been added to the malware, but its core functions have remained the same.

The malware spreads through pirated versions of WordPress themes and plugins that the attackers distribute through a network of rogue sites.

If administrators looking for free WordPress functionality download these assets and use them in their own WordPress sites, then they’ve essentially infected their own servers.

This is an ingenious attack vector because the criminals distributing the plugins don’t have to worry about finding new exploits in WordPress code or hacking legitimate extensions. Instead, as Wordfence explains, the crooks are exploiting human greed:

The campaign’s distribution doesn’t rely on exploiting new software vulnerabilities or cracking login credentials, it simply relies on WordPress site owners seeking free access to paid software.