Hackers Find Yet Another Loophole In WordPress Websites

​Hackers have found a new technique to access WordPress websites through weak accounts who do not have a two way authentication and through JetPack plugins. The technique is highly complex to compromise a website and a hacker must utilize multiple steps to attack a WordPress website. 

Hackers first try and hijack websites by trying reused passwords of the usernames they have. This is where the two way authentication loophole is compromised. There is an analytics module named Jetpack which is one of the most popular plugins for WordPress Sites. JetPack provides an ability to install various plugins across different sites by just using the wordpress.com Jetpack dashboard. The plugin doesn’t even have to be hosted or hidden on the official WordPress.org repository, and criminals can easily upload a ZIP file with the malicious code that then gets sent to each site.

​Hackers are taking advantage of this remote management feature to deploy backdoored plugins across previously secured websites. Experts say that attacks started on May 16, with the hackers deploying a plugin named “pluginsamonsters,” later switching to another plugin named “wpsmilepack” on May 21.

---