Are you tired of the battle against the hacks? Here’s our thoughts on the latest situation with WordPress websites.
If you are at all related to the web world, you will inevitably come in contact with WordPress. It’s the beautifully-designed, easy to use content management system that is our favorite here at AndiSites. According to W3Techs, WordPress is now estimated to be used in 58.9% of content management system websites. And in 25.7% of all websites! (Source)
Since WordPress is the most popular CMS, hackers can target low-quality implementations in order to gain an edge. These include weak installations and unsupported versions. Hence the importance of making sure your WordPress website is developed and supported by skilled professionals. And also that core security and plugin updates are made regularly.
The most recent vulnerability we discovered
A new client of ours sought help from AndiSites because they were seeing errors and experiencing problems with their site. And we were ready to do battle against the hacks!
The vulnerability that we discovered was likely installed via a Gravity Forms plugin. It hadn’t been updated to the latest version. We have heard of past hackers gaining access through Gravity Forms.
Thankfully the folks at Rocketgenius (the plugin’s provider) address those vulnerabilities the moment they find them. Gravity Forms is included in many websites since it is a powerful, highly customizable form builder plugin. It not only collects information but also integrates with lots of third-party database services.
Unfortunately, some websites do not keep up with the latest security updates and put themselves at potential risk of getting hacked.
The actual code
In the hack mentioned above, the code implanted is added at the bottom of the api.php file. The hack mainly consists of a set of routines that enqueue an external javascript to be included in the normal calls. It is hard to detect because the domain of the external javascript is very similar to the domain of valid external libraries called in public CDNs. In this case the hacker used a call to a domain very similar to code.jquery.com.
He instead registered a domain: jqeury.org and then created a subdomain code.jqeury.org, which is easy to miss by just looking at the source code of the page.
Most importantly, you can’t just look for the reference in your installation because they use a PHP string replace function (they don’t write it out directly in the code). In this case, they used: “j..q..e..u..r..y…o..r..g” as part of the string. Then they removed the dots with string replace (as in the example below).

Why did the hacker do this on our client’s site? It’s impossible to know for sure. But, for example, enqueuing an external JavaScript that steals a login cookie can be used maliciously for all sorts of things. In an e-commerce cart site it can be used to obtain access to sensitive information including digital download products, customer information, and much more.
The Moral of the Story in the Battle Against the Hacks
I don’t want to remind you again about the importance of a support plan with a reputable WordPress agency. But I do want to encourage you to make the security of your website a priority when fighting the battle against the hacks.
Security is a vital part of every website. At AndiSites we build security into every website we create and provide support and WordPress maintenance plans that give you peace of mind post-launch.
You might also like to read our articles Top Five Crucial Steps for WordPress Maintenance and WordPress Security: How to Avoid Getting Hacked.
Or check out all our website security blog posts.