Although issues were reported a month ago by a user named kisscsaby on the WordPress forums, it has taken a month for Google to catch the issue with two infected plugins. Over 25% of all WordPress websites were hacked and the grand total of affected websites is thought to be in the hundreds of thousands. These were two very popular plugins that were downloaded over 6 million times. It’s certainly shocking that such plugins were able to be hacked in the first place and that the issue managed to remain out of sight by Google for 30 days.
The problem is that the plugins transmit a serious vulnerability to the websites that they hack. Called remote code execution, or RCE, it enables an attacker to execute any commands on a target machine. Both of the plugin authors have since published new versions of their plugins that have disabled the vulnerable functions. However, the effect of the two earlier plugins has been seen across a vast number of websites.
How to tell if your site was affected:
If you are using a third-party service, you should be fine. However, for those WordPress sites that have comments enabled, these plugins can cause some real issues. To test to see if your website has been affected, leave yourself this comment: <!–mfunc echo PHP_VERSION; –><!–/mfunc–>. If your reply shows the version of your server’s PHP install, you’ve got a problem. This means that anyone who replies can pass on commands to your server and those commands will then be executed by remote code execution.
Was your site compromised? Protect yourself.
The significance of these hazardous plugin issues should not be brushed off. Any user that is enabled to comment on your website can exploit it. How can you protect yourself? Upgrade your WordPress. The latest upgrades can be found on the WordPress.org repository. Use WP Super Cache and W3TC Total Cache. Also, as an alternative, we recommend WP Super Cache which can be found here.
Upgrading your website often is one of the most important things you can do to keep your website safe from hackers.