What Is a Supply Chain Attack?

In the software industry, supply chain attacks exploit trust relationships between software vendors or authors and their customers. For WordPress, it means finding a way of embedding malware into software updates. In one case, we noticed an existing plug-in builder installed malware on the customer's site in an attempt to monetize an existing plugin. In every other case we have found, the attack is done by someone who has purchased the plugin with the intent to attack its users.

Here's a recent WordPress supply chain attack we found:

• At the end of December, we found a backdoor installed in three plugins after completion: Duplicate and Post Pages, No Follow All. External and None. (Bleeping Computer coverage).
• In mid-December we found a backdoor in the Captcha plugin after its purchase. This plugin is active on over 300,000 websites.
• In early November we found a plugin that mines the Monero cryptocurrency using the resources of the CPU resources in that place.
• In September, we found a 4.5 year spam campaign affecting nine plugins, which we discussed in a series of posts.

This attack works because, as a site owner, you've made the decision to trust the software vendor or author. In many cases, you may have gone a step further to enable plugin auto-updates, which allow authors to redirect attackers to push malware onto your website whenever they want.

Why WordPress Becomes Target?

WordPress is an attractive target for supply chain attacks for a number of reasons.

The first reason is just scale. According to w3techs, the power of WordPress is 29.2% of all websites - a large user base to follow. Additionally, at least 53,566 plugins are available for download in the official WordPress.org plugin repository. It works a lot with both fronts.

Second, the WordPress.org plugin directory is a community-based open source. According to the plugin guide page, "It is the responsibility of the plugin developer to make sure all the files in their plugin match the guidelines." That is, while there is a small team tasked with managing plugin repositories and other small teams focused on security, users end up relying on plugin developers to keep them safe.

Thirdly, most WordPress sites are managed quite relaxed. Making changes to websites in larger companies may include formal code review, testing and change control processes. But that may not happen consistently, if at all, on the smallest website. In addition, many site owners do not monitor their WordPress sites strictly, which means malware can often last for several months without being found.

Finally, WordPress plugin repositories have a large number of blank plugins. When we looked back in May, almost half of the available plugins were not updated in more than two years. This is a great opportunity for others to find out about unsuspecting plugin makers in selling something they created many years ago and have been switched from.

Why WordPress Plugin Writers Sell Their Plugins?

Most plugins in the repository are completely free to use, meaning no premium features are available for purchase. While that's generally a very positive thing for the WordPress community, the reality is that everyone behind that free plugin still needs to make a living. If they do not make money from the plugins they make, they often lose interest or even leave them altogether.

When someone approaches those who offer money for their plugins, it may be hard to miss. And plugin makers might think it's a very innocent offer, because unlike a supply chain attacker who announces their bad intentions. Conversely: in the purchase request we have seen, they often appear as someone who wants to help.

This is an excerpt from a call to buy plugins we saw earlier in 2017:

I am wondering if me and my team can buy this plugin from you and then take full advantage of it and push new updates to make it work better with the latest wordpress.

We will also put our admin team into the support forums and make sure users are satisfied and if there is a feature they specifically request, we will add it to the next update.

As a plugin writer who creates something that thousands of people use, what a wonderful opportunity it is! This good man offers to not only take the place you leave with something you care enough to build it, but also willing to give money for it too.

How to Protect Your Site

Fortunately, you can protect your site from this attack with a number of effective tactics.

• Screen plugins and themes very carefully. Every time you install a plugin or theme, you let someone new code run on your site. In general, the more established and active writers the better.
• Scan your site for malware on a regular basis. We recommend enabling scheduled scans with both Wordfence and Gravityscan. Both include free scheduled scan options.
• Check your site and IP address from blacklist regularly. Gravityscan checks over 20 of them for free.
• Be careful when the WordPress.org repository deletes or "closes" any of your installed plugins, or when changing hands. Wordfence tells you when the plugin is removed from the repo for whatever reason.
• Consider deleting or replacing the abandoned plugin. The author of this plugin is the most likely to sell it. Wordfence notifies you when the plugin has not been updated in 2 years. 
• Keep an eye on our blog. We will continue to share information about plugins that have been compromised when we find them in our research.
• conclusion Unfortunately, we believe that this type of attack on the WordPress ecosystem will be increasingly popular. Attackers are also likely to use new and creative tactics that we can not expect in the new year.

As a site owner, you need to apply extra checks to every plugin and theme you add to your website while keeping your eyes open for something weird so the plants stay alert to such potential attacks in the future.