There are an estimated 60 million WordPress sites online, and a good percentage of those have plugins with critical vulnerabilities installed. Attackers are using these vulnerable plugins as a backdoor for compromising WordPress sites.
I wrote a blog post about SoakSoak–the latest WordPress malware attack–and the risk from vulnerable plugins:
Watch out for SoakSoak, a new malware threat that has compromised more than 100,000 WordPress websites and led to more than 11,000 domains’ being blacklisted by Google. WordPress is a hugely popular and widely used Web publishing platform, so it’s important to understand how the SoakSoak malware works, and what you can do to prevent your own WordPress site from being compromised.
Approximately one in six websites—or about 60 million worldwide—are hosted through WordPress, so the damage could be, or may still get, much worse. In a blog post onTripwire’s State of Security, David Bisson explains that once a WordPress site is infected, it may unexpectedly redirect users to the SoakSoak.ru domain, and/or download malicious files to the users’ computers to further propagate the attack.
The short answer to the question “What can I do to prevent my WordPress site from being compromised?” is to make sure you keep WordPress itself and any plugins you use up to date. You should also remove any plugins you aren’t actually using. Attackers are apparently exploiting critical vulnerabilities in WordPress plugins as an easier, stealthier way of spreading malware through WordPress sites. Many plugins are not actively maintained by the developers, and not monitored by the users who have them installed, so they’re an easy back door for compromising a website.
Matt Johansen, senior manager of the Threat Research Center for WhiteHat Security, pointed out that this is just the latest in a string of serious vulnerabilities affecting WordPress sites over the last few months, and that SoakSoak is just the latest malware to take advantage of one of these critical flaws to worm its way through WordPress sites.
Check out the full article at PCWorld: Clean up your WordPress plugins to avoid SoakSoak and other malware threats.