WordPress supply chain attacks: what are they and how to prevent them?
By Andres Monzant
7 Min read
WordPress is the most popular content management system, attracting many hackers wanting to exploit such a rich ecosystem for their benefit. Supply chain attacks are one of the methods they use to gain unauthorized remote access to websites.
While not as widely used as XSS or SQL injections, supply chain attacks can be equally or more insidious by infiltrating the sources we consider safe: the software powering the plugins and themes that make our site work.
This article explores supply chain attacks and the consequences that come with them, and also what you can do as a website owner to prevent them.
What are WordPress supply chain attacks?
In cybersecurity, supply chain attacks target the services, software, or hardware companies rely on to operate. These services, software, or hardware are part of the company supply chain, and disrupting them reduces the company’s ability to function efficiently.
In WordPress, a supply chain attack refers to cyberattacks targeting popular plugins and themes. Once they’ve found a vulnerability they can exploit in a popular plugin or theme, hackers may be able to plant backdoors into the websites that installed these software components. From there, they can perform SEO spam attacks, take over admin accounts, and more.
Recent examples of WordPress supply chain attacks
There’s been a global rise in supply chain attacks in recent years. Some experts believe this rise is fueled by the improvement of cybersecurity measures in general, which may lead hackers trying to indirectly attack their targets through their supply chain rather than face them head-on.
Regardless of the causes, these are three of the most significant WordPress supply chain attacks that have occurred recently:
Pipdig backdoor. In March 2019, it was revealed that the plugin Pipdig Power Pack contained a backdoor that allowed the plugin author to access and modify affected WordPress sites remotely.
WP GDPR Compliance vulnerability. In November 2018, the plugin WP GDPR Compliance was found to contain a vulnerability that allowed hackers to inject malicious code into WordPress sites.
AccessPress Themes backdoors. AccessPress was a WordPress plugin and theme developer that suffered a supply chain attack in late 2021 but was detected in early 2022. An estimated 93 plugins and themes were compromised. As a result, websites that installed any of them were highly likely to suffer backdoor attacks.
In these cases and many more, you’ll see a pattern: the vulnerability that exposed websites to hacks came “packaged in” with a software component necessary for normal operation. That defines a WordPress supply chain attack, infiltrating websites through a presumably trustworthy source like a plugin or theme developer.
How do WordPress supply chain attacks occur?
Supply chain attacks are a very old cybersecurity vulnerability and a particularly hard one to counter. They occur when bad actors like hackers inject malicious code into a piece of software or hardware from a trusted source. In the context of WordPress, hackers can only intercept software components since there’s no exchange of hardware equipment.
Once hackers have identified a popular source that gives them access to hundreds or thousands of sites, they introduce malware into the target’s legitimate software packages. In the AccessPress Themes, hackers introduced a file called “initial.php” into the main theme directory. The file self-destructed after downloading a malicious payload.
Using methods like these, hackers ensure that whenever a user downloads and installs an infected piece of software, they inadvertently expose themselves to a cyberattack.
How do WordPress supply chain attacks affect websites and users?
Supply chain attacks can negatively affect website owners and their supply chain sources. Some of the most significant include the following:
Loss of data. Infected websites are vulnerable to being hacked, which exposes them to losing confidential and sensitive information like customer data, financial information, or intellectual property.
Vulnerability to further attacks. Once a backdoor is placed into a website, it’s more vulnerable to further attacks, such as being used to spread malware or SEO spam to users and being used to participate in DDoS attacks.
Reputational damage. If your site is compromised and your users cannot use your services in the interim, your brand’s reputation may take a hit, and they may be less willing to trust you.
Financial losses. Certain types of businesses, like financial services, can’t afford to be offline due to an attack caused by a supply chain infiltration.
Legal consequences. Depending on where your business is based, you may be vulnerable to legal consequences if your website suffers a breach that exposes other people’s confidential data. Your company may be fined and suffer lawsuits.
A sense of uneasiness and paranoia. Website owners who fall victim to supply chain attacks may find it harder to trust developers after experiencing these consequences.
Supply chain attacks can result in severe consequences for the supplier (in WordPress’ context, the developer), the websites that installed the software component, and the users whose information may be exposed.
How to prevent WordPress supply chain attacks?
Protecting your site from supply chain attacks can be difficult because they operate by contaminating trusted sources. However, there are still measures you can take to prevent them.
Carefully screen your plugins and themes
Since WordPress supply chain attacks originate in your plugins and themes, the best measure to prevent them is strictly vetting every plugin and theme you plan to install. Consider the following when exploring plugins and themes:
Ratings and reviews. Check the plugin or theme’s ratings and reviews on the directory. Check the reviews to see if any user complains about security or functionality issues.
The developer’s reputation. Explore past ratings and reviews from the developer’s other contributions. Determine whether their work is considered trustworthy and high-quality.
Update frequency. Plugins that are regularly updated are safer because the developer(s) are actively monitoring and counteracting security vulnerabilities.
Review the source code. If you know how to code and have experience with plugins or theme development, review the source code to verify it does not contain any suspicious or malicious code. Public repositories like GitHub are a good place to start.
Download only from trustworthy sites. Trustworthy sites are generally run by the developer or WordPress itself. Although trustworthy sites have been proven to be vulnerable in the past, it’s still the safest source for your software.
Keep WordPress, plugins, and themes updated
When a vulnerability like a backdoor injected into a plugin or theme is detected, experts recommend deactivating the component and only activating again if the developer releases a patch that eliminates the vulnerability. It’s a must to stay aware of known vulnerabilities in the plugins and themes you install and update them as soon as possible.
On the other hand, while the WordPress core files are rarely the source of supply chain attacks, it has happened, such as in versions 4.7.0 and 4.7.1. The critical vulnerability was patched in version 4.7.2.
Keeping your core files and components updated protects your site from known attacks.
Recover a backup or reinstall WordPress
This is a reactive measure, but it’s worth considering.
Creating backups is an essential element of WordPress security. Making regular backups allows you to have multiple versions of your website available for restoration. This way, you can roll back your site to when it wasn’t infected with a supply chain attack or any other security vulnerability.
However, this approach requires you to know when the vulnerability entered your WordPress environment to restore your site to a point before that time. This may not always be possible for vulnerabilities that have been present on your site for long periods. Additionally, you will lose any information added to the site since that last backup, so consider whether it’s convenient.
Another option is reinstalling WordPress entirely to scrap all malicious files from your core files, including ones you may not know about.
WordPress supply chain attacks are a cyberattack targeting popular plugins and themes. Their goal is to insert malware or backdoors that allow attackers to compromise hundreds or even thousands of websites at the same time.
Attackers use legitimate software components to exploit vulnerabilities and gain access to a website, resulting in significant consequences for website owners, including data loss, further attacks, reputational damage, financial losses, and legal consequences.
To prevent WordPress supply chain attacks, website owners should:
Carefully screen their plugins and themes.
Only choose trustworthy sites to download your plugins and themes.
Keep plugins, themes, and WordPress core files updated.
By taking these steps, you’ll be better protected and reduce the risk of cybersecurity breaches.