This serves as a useful reminder to us all to be very careful what you’re downloading and where you’re downloading it from.
Apparently the author of this article is only been jotting down what others told him (or what he read reported elsewhere)… because this paragraph (about the infection process) is mostly false:
If your shared hosting provider knows their shit, this is never going to happen! But nice side blow against the shared hosting concept ^^
Aside of that: Well-done scheme. SEO combined with Warez, combined with developers unwilling to invest time, and users being lured into believing this might actually be legit (it certainly is a grey area, with the GPL derivacy policy etc.) or even worse, thinking one of the sites is an official supply for the theme or plugin they downloaded.
Another attack vector / incursion option into a (formerly) safe and sound WP / CP install - besides taking over a plugin on the wp.org plugin repository for cheap or no money, or simply phreaking or social engineering themselves into the owners account information.
A good option against infection by plugin (or theme) might be to have a security plugin / scanner around, that scans each freshly uploaded or installed plugin, before its being activated, and may insert warning or at least some kind of vulnerability / “tendency to inflicting harm” rating for the mintly installed plugin - so before the user is able to click on the “active” button, they get a nice info that they might accidently infect their own site with a nasty pest. Although, let’s not venture into the depths of snake oil and actively prevent installation - a passive, semi-intrusive information shoul hopefully do the thing for most of the users.
Of corpse, there are always users, Who Know Better ™ - and then come crying / complaining about how YOU, the developer, fucked up their system, after THEY installed a specific plugin (which they are not going to tell you, but: “I did do nothing! it suddenly exploded by itself! YOU did run some update, and it broke the site, didnt you?!?”). For these, I’d which to have something entirely different. Maybe there is a hosting provider around that allows for “shared hosting” of multiple sandboxes? Including incremental backup of those sandbox states? So if your Client Out Of Hell ™ fucks up again, you just do a few mouse clicks / keyboard taps … et voilá! The site is up and running again
ps: Original security report by WordFence, on which the ZDNet article seems to be mostly based on: https://www.wordfence.com/blog/2019/11/wp-vcd-the-malware-you-install-on-your-own-sites/
I agree, the paragraph about shared hosting is mostly wrong. Usually these malwares look for other sites hosted on the same account - this is a big difference from on the same server.
Agreed. But the principle remains the same. Some dodgy sites do look quite authentic. And some sites long believed to be authentic are actually quite dodgy (think Pipdig). Obviously, if you’re stupid enough to knowingly download nulled software, then you deserve what you get. But I’m just saying that it may not always be that obvious.
Let’s be careful out there
In time, the plugin directory will let us go a long way to solving this problem (we’ll provide signed hashes and CP can warn if they don’t match), but ultimately if the user is stupid enough to upload nulled plugins/themes there’s only so much we can do.
Exactly. If THAT happened with one of your clients - or yourself - the time to switch is NOW
Albeit I’m making sure - if the client(s) are not “beratungsresistent” (this should be a staple, just like Zeitgeist and Blitzkrieg! ) - to convince all my clients to move to a proper, reliable shared hosting provider, or not to set up shop with one of … unknown … quality in the first place.