29 Mar

WordPress Forum Moderators Keep Webmasters From Knowing About Malicious Code On Their Websites

When it comes to the poor state of security with WordPress plugins, a lot of it is due to the poor practices of the people on the WordPress side. The latest example we have just run across is with their forum moderators:

Recently we ran across a post about several plugins that had been available on the WordPress Plugin Directory that were harmful due to them containing code that loaded a file with malicious JavaScript code from a third-party website. That post indicates that there were at least four plugins:

As it turns out he has done the same with an SMTP Mail plugin, a Google Maps plugin, and a redirects plugin.

The plugins have now apparently removed, but for anyone already had the plugins installed they will not receive any notice that they have an installed plugin with malicious code in it. This lack of notification is an issue that we first raised over four years ago and despite the Plugin Directory people saying it would be fixed over three years ago, it still hasn’t been fixed.

From the original poster’s history we could find one of the plugins, Enable Google Analytics (enable-google-analytics). From there we found one more created by the same user, Breadcrumbs EZ (breadcrumbs-ez). We have now added those two to the data included with our Plugin Vulnerabilities plugin, so even if you are not using our service you would be warned about them. That still left two more malicious plugins and we wanted to make sure we warning about them as well, so we posted a response on thread to ask if anyone one could let us know what they were. We included a link to our contact page since one of the moderator was discouraging mentioning the names of the plugins on the forum. Making it harder to know what the plugin were doesn’t seem like a good idea in this case since the plugins don’t contain code that could be exploited by someone else, so all it seems to do is make it harder for people that already in danger to know what is going on.

Two hours after we posted on the thread another moderator replied:

@WhiteFirDesign, Good cause but please don’t ask people to contact you.

The moderator also replaced the link to our contact page with “[Moderated]”

The only reason we provided a link to our contact page was because the other moderator was asking for them not be mentioned on the forum. But someone could still try to post them on thread instead, even thought the other moderator complained about that, right? Wrong, the thread was also closed at that point, so that no one can reply in thread as to what the plugins were either.

It is unclear why these moderators would want to make it harder for people to find out that they have installed plugins with malicious code in them, but that is the end result of their actions.