WP File Manager Getting Evidence Free Blame for Hacked WordPress Websites
Earlier this week we mentioned how GoDaddy’s Sucuri security service isn’t doing basic work to properly clean up hacked WordPress websites. That involved them not trying to figure out how websites are being hacked. They are not alone in that, but others take that even further by blaming something for the hack without actually knowing if that is true, as they didn’t try to figure out the source. One recent example of that involves a thread on Reddit, which had 88 upvotes, where someone, claiming to work for a web host, blamed websites being hacked on a WordPress plugin named WP File Manager. By comparison, someone asking for evidence to support the claim was downvoted. While you can point the finger at Redditors for that mess, the claims made are worth breaking down, as they show how things can go wrong when dealing with hacked websites and how those that have the misfortune of having their website hacked, can get a better outcome.
Confusion Over Outdated Software
One of mistakes the poster makes is a failure to understand the implications of outdated software. They start their post this way:
I work for a hosting company.
The vast majority of hacks I’m seeing right now are from outdated “WP file manager” plugins.
As soon as that thing gets outdated someone figures out how to break it. And then they just start loading stuff… Because it’s a file manager.
It is true that if a new version of a plugin fixes a vulnerability, hackers could usually easily work back from the fix to how to exploit the vulnerability. But for that situation to lead to a website being hacked, it would require that a vulnerability to have been fixed, that it be a vulnerability that hackers would be interested in exploiting (which isn’t true for the vast majority of vulnerabilities), and hackers having not already known about the vulnerability. So just because a plugin is outdated, it doesn’t mean it will lead to a website being hacked. Also, as the vulnerabilities would have had to already have existed, it isn’t uncommon for hackers to exploit vulnerabilities in the latest version of software.
Based on just that, this wouldn’t be someone to trust, but let’s go with their claims:
In fact, as soon as a customer calls in about CPU overages or hosting resources being overused I look for malware. I usually find it.
And then the very next thing I look for is this plugin. wp-content/plugins/wp-file-manager
The plugin in question has 1+ million active installs according to WordPress Plugin Directory stats, so there is a good chance to find it on hacked websites even if has nothing to do with the hack.
You are more likely to find it on hacked websites, since it isn’t uncommon for hackers to install a file manager plugin on a WordPress website they have already gained administrative access to, so they can take more actions.
It can’t be said enough that correlation is not causation.
This Isn’t Website Security
The next part of their post makes you wonder what they and web hosting companies believe is website security, as they write this:
Sometimes they’ve been hacked before and they bought websites security and everything was fine but they didn’t uninstall this plugin and the malware came back.
When dealing with a hacked WordPress website, updating outdated software and trying to figure out how the website was hacked are critical elements of a proper cleanup. If someone bought website security and the malware came back, that usually means that the cleanup provider is cutting corners. If it is some other type of website security, it clearly doesn’t work well if the malware comes back.
A little later, this person unironically complained about people not knowing something:
I’m not selling anything. I’m just sick of getting yelled at because people don’t know this. You should check right now.
After that, they mention website security services again, despite their earlier comment indicating that he was aware of those are not working:
And if you already have malware then you need to immediately uninstall WP file manager and pay for your site to get scrubbed. Your web developer can do it but if the malware is really good then it’ll repopulate almost out of nowhere. Website security can be purchase from lots and lots of places.
You have been warned. This is me trying to help.
The Right Question
Only one commenter asked what should be the obvious question after those claims, what is the evidence:
Do you have any evidence those hacks resulted from security issues in the wp file manager plugin? There hasn’t been any publically disclosed vulnerabilities in that plugin for over 2 years.
The original poster’s response was underwhelming:
If I provided evidence then I would lose my job. So… Use at your own risk.
They wouldn’t lose their job for providing evidence, as that wouldn’t require information that would be sensitive or even traceable to them.
The commenter tried again with this reply:
So you did track the hacks back to the plugin? Were they using a vulnerable version of the WP File Manager (I.e older than 2 years). At the moment you haven’t said if the plugin was the attack vector only a casual relationship that the plugin was installed.
They didn’t get a response, but they did reply this way themselves:
Disappointing to see the downvotes, with the claims made against a plugin. Would be good to get some clarity as the current version of WP file manager is known to be safe.
Again, the finger could be pointed at Reddit, but it isn’t uncommon for evidence free claims around security to run at what are treated as reputable news sites as well.
What to Do If Your WordPress Website Is Hacked
When a WordPress website is hacked, hiring someone to professionally clean it up is a good idea, though as what was mentioned, is a reminder that many security companies don’t handle things properly.
What you want to look for is someone that emphasizes trying to figure out how the website was hacked, since without doing that, not only might the hacker be able to get back in through the same hole, but people that don’t do that work often miss things that the hacker added to the website.
A Good Reason to Avoid WP File Manager
It is true that two years ago there was a serious vulnerability fixed in the plugin and that hackers have continued to try to exploit it, so it is possible that there really are websites using an outdated version that are still getting hacked because of it. That wouldn’t be a reason to not use the plugin, as the same can be said of plenty of popular WordPress plugins. There is a good reason to not use it, which is that the developer of the plugin continues to not properly secure the plugin. We went in to details of that in an advisory we released about the developer in May.