WordPress Supply Chain Attacks

The software industry operates on a relationship of trust between the vendors and their clients. In recent years, as the developments in this industry have progressed, so have the threats. There are various types of cyber attacks affecting the software industry. One of them is the “Supply Chain Attack.” A supply chain attack is a breach of trust between the vendor and the customer. One of the popular CMS whose sites are prone to supply chain attacks is WordPress. It is happening due to compromised plugins. 2017 reported a disturbing number of WordPress sites being attacked and it is expected that this trend will rise in 2018 unless the service distributors do not take the necessary steps.

Usually, the service distributing JavaScript is expected to ensure that the site is secure. However, any compromise on the service impacts thousands of websites using the code. In the case of WordPress, supply chain attacks become easier because a single hack can attack numerous WordPress plugins simultaneously.

When a customer buys a software or plugin from a software vendor, the vendor can run their code on the machine or website of the customer. This exposes the system for injection of malware, etc. into the website. Publishers have started exploiting the trust people put into them by pushing malware into WordPress plugins for making easy money. This is termed as WordPress Supply Chain Attack.

Recently there has been a surge in Supply chain attacks and the reasons for these are obvious. The software vendors want to earn money keeping at stake, the trust of their customers. Behind their malpractices lies their interest of monetizing their plugins already purchased by the users. When a user allows automatic updates for plugins, he opens doors for the vendors to push in any type of malware at whatever time they like. In such cases, the software users might consider opting for Monthly WordPress Maintenance Packages to protect their sites from supply chain attacks as regular maintenance is necessary for the websites to run smoothly. On the other hand, one can also invest in a trustworthy WordPress Plugin development agency for developing certain plugins required by their website which ensures safety from such supply chain attacks through infected plugins.

Earlier this year the Western Government websites were hit by WordPress supply chain attacks. A WordPress plugin named Browsealoud was containing crypto mining code. Over 4000 websites were infected with this malware which was using the visitors CPU to mine monero cryptocurrency. Australian provincial government, Uk National health service website, Uk Information commissioner office are the few of those websites that fell prey to Browsealoud plugin.

WordPress Supply chain attacks have been observed to impact countries around the globe on a large scale. Last year in November one more WordPress plugin, Coinhive, was banned for containing crypto mining code for monereo currency.

When a customer buys a software or plugin from a software vendor, the vendor can run their code on the machine or website of the customer. This exposes the system for injection of malware, etc. into the website. Publishers have started exploiting the trust people put into them by pushing malware into WordPress plugins for making easy money. This is termed as WordPress Supply Chain Attack.

Recently there has been a surge in Supply chain attacks and the reasons for these are obvious. The software vendors want to earn money keeping at stake, the trust of their customers. Behind their malpractices lies their interest of monetizing their plugins already purchased by the users. When a user allows automatic updates for plugins, he opens doors for the vendors to push in any type of malware at whatever time they like. In such cases, the software users might consider opting for Monthly WordPress Maintenance Packages to protect their sites from supply chain attacks as regular maintenance is necessary for the websites to run smoothly. On the other hand, one can also invest in a trustworthy WordPress Plugin development agency for developing certain plugins required by their website which ensures safety from such supply chain attacks through infected plugins.

Earlier this year the Western Government websites were hit by WordPress supply chain attacks. A WordPress plugin named Browsealoud was containing crypto mining code. Over 4000 websites were infected with this malware which was using the visitors CPU to mine monero cryptocurrency. Australian provincial government, Uk National health service website, Uk Information commissioner office are the few of those websites that fell prey to Browsealoud plugin.

WordPress Supply chain attacks have been observed to impact countries around the globe on a large scale. Last year in November one more WordPress plugin, Coinhive, was banned for containing crypto mining code for monereo currency

WordPress has become a target for online theft for so many reasons. The first and the very obvious reason being it’s vast user base. WordPress being easy to use has become one of the top favorable content management systems around the globe. Approximately 74,652,825 sites are using WordPress for managing their sites with over 53000+ plugins. This provides a golden opportunity to the attackers for using malware to infect the plugins to carry out supply chain attack on a massive scale.

Secondly, users have to rely on the plugin developers for their safety as according to the WordPress plugin guidelines it is the responsibility of the developers to ensure plugins comply with the guidelines. So the safety of the plugins is as good as the intention of the developer.

In order to detect a malware in WordPress site, close inspection of the site is necessary. Most of the organizations fail to follow this necessary step and as a result, malware goes undetected for months posing a great chance for the attackers to plan their move.

Compromised plugins affecting thousands of websites have left the software users questioning their decisions of purchasing software from vendors. A Serious trust issue is emerging between the software vendors and users. Website owners need Javascript for maintaining site security and if that Javascript is compromised, it’s quite likely customers are going to be reluctant to purchase it.

1. Background check of the vendor: Before installing a new plugin consider that you are going to allow a code to run on your site. Check if the code is coming from a trustworthy source. If not, you might switch to another reliable option.

2. Pay attention to Wordfence alerts: Whenever a plugin is closed or removed from the WordPress.org repository you get an alert. Make sure you don’t find any suspicious activity.[

3. Schedule scans for malware: Keep screening your site for malware. It will help keep any malware in check.

4. Beware of authors who sell their free plugins: Most of the plugins on WordPress are free. In order to make money, the authors of the plugins might sell it. But we never know the buyer might be having an intention of using it for WordPress supply chain attacks.

5. Replace outdated plugins: If a plugin hasn’t been updated in 2 years, it’s time to change it.

Unless a strong Cybersecurity strategy is devised to tackle this situation, these WordPress supply chain attacks are not going to stop any time soon. The best way through this pressing issue is to take necessary precautions before installing a plugin and monitoring the website closely on a regular basis for any suspicious activity, changes or website owners can hire a trustworthy WordPress Plugin Development agency so that they don’t have to worry about the hackers anymore. Another option is to take help of companies who offer regular maintenance of the WordPress site. These plugin agencies also offer optimal Monthly WordPress maintenance packages for particular requirements of the WordPress sites