We've updated our policy regarding how we treat and protect data that is collected and used from our websites. This site also uses cookies which are necessary to its functioning and required to achieve the purposes illustrated in the policy. By using this site you agree to our use of cookies. Please read our Privacy Policy for more information and your related choices.

WordPress Plugins: Hackers Love Them

More Opportunities for Hackers

Open-source CMS providers are having a horrific year. WordPress security firms continue to find plugins with hidden backdoors in online stores, WordPress blogs and websites.

The WordPress plugin issue isn't new. Since its inception, WordPress, as open source software, has been plagued with plugins containing hidden scripts. The problem is getting worse - some of the most prominent WordPress plugins around have been discovered to contain hidden backdoors for hackers.

Let's take a glance at WordPress's plugin issues and figure out why the phrase "WordPress backdoor found" has been popping up on our news feed almost daily for the last year.

What's the Problem?

WordPress — the CMS king of open-source projects — fundamentally relies on its community to extend the capabilities of its platform. The problem, however, is that WordPress has a pretty bad reputation for protecting its users against these add-ons. For years, hackers have been hiding scripts in plugins that allow them to backdoor into user’s websites.

We aren't talking random small plugins either. This year alone, three of the most significant add-ons for the WordPress platform were found to contain backdoor scripts (see below). Couple this with WordPress's blatant refusal to fix some of the more obvious flaws in their scripting (such as this unpatched DOS flaw that allows anyone to quickly DDoS your website) and you have a hacker’s playground of sorts.

Let's ignore all of the other security flaws in WordPress for a moment (there are a lot,) and talk about which plugins are currently "under-the-gun" for containing hidden scripts.

What are the Plugins?

Well, there are a lot.

Recently, Duplicate Page and Post,, and WP No External Links were all found to contain backdoors. These three extensions combined have around 100,000 active users - which means that approximately 100,000 websites could have had hackers injecting spam pages into them without knowing. Currently, the WordPress team has removed the add-ons from availability, but members of the WordPress community who still have the plugins will continue to have backdoors (which sits at around 70,000 active users currently.)

Last year, a backdoor was found with more than 300,000 installations in Captcha - the largest Captcha related WordPress extension available. The backdoor affected more than 300,000 websites by the time that it was found. The same person who released Captcha with a hidden backdoor was also responsible for Display Widgets (affecting +200,000 users) and 404 to 301 (+70,000 users) both of which were found to also contain backdoors.

Another interesting backdoor that happened recently was with the plugin X-WP-SPAM-SHIELD-PRO. Masquerading under the guise of a security add-on, X-WP-SPAM-SHIELD-PRO allowed the plug-in owner to create administrator accounts on websites, injecting spam content into websites and blogs with the plugin. This goes to show that even security anti-spam plugins on WordPress can contain spam. It's not a good situation. This begs the question, do you know enough about the developer who built the add-on your using to trust them with your website, your data, your reputation?

The list goes on and on. Recently, a lot of plugins have been coming under fire for containing backdoors. Who knows how many more have backdoors that have yet to be discovered. As it stands, it takes years for WordPress to discover backdoors in some of their plugins - depending upon how crafty the developer (hacker) is.

How Do You Know if You Have a Backdoor?

Honestly, you probably won't know if you have a backdoor.

WordPress has a long-standing reputation for enabling hackers to backdoors to inject spam links into websites. It doesn't seem to matter how popular the plugin is or how safe it may appear to be. Hackers have been finding ways to backdoor into people's websites without their permission.

Even Jetpack — the biggest WordPress plugin with +5 million active users — was being used to hack into weakly protected WordPress.com websites earlier this year (this isn't the first time that JetPack has been vulnerable either, this flaw impacted more than 1 million websites).

Sometimes removing the plugin fixes it, but most people aren't even aware that their plugins contain backdoors.

A Hong Kong man found 14 backdoored WordPress plugins over three years ago. Today, there are still hundreds of websites that have been found to be suffering backdoors from those same 14 plugins.

What Do You Do if You Don't Want Hackers Inside Your Website?

The simple solution? Switch to QuickSilk.

WordPress and Drupal have been subject to an unprecedented amount of cyber-attacks this year. Hackers continue to find new ways to penetrate the open-source software and inject all kinds of nasty content into people's websites without their permission.

The best way to protect yourself is to jump ship. Come over to QuickSilk. We're safe and secure, and our CMS is quick as lightning.

Look, the problems with Open Source Software CMSs continues to get worse. Isn't it time you found an easy-to-use, secure, and affordable CMS? Contact us to learn more.