Fake WordPress Plugins
How to Avoid Fake WordPress Plugin Scams
WordPress is the most popular website and blogging platform in the world. Unfortunately, that means that it is also a massive target for scammers.
The platform is designed to be easy to use even for those with little tech knowledge – it offers many plugins that allow website owners to add extra functionality to their sites. However, because third party developers write these plugins, they can be used to scam either site owners or visitors.
The Problem With (Some) Plugins
The most recent example of a WordPress plugin scam concerned a plugin called ‘Yuzo Related Posts’. This is a very popular plugin that allows website owners to direct visitors to content within their sites.
The scam targeted the 60,000 website owners who are currently using the plugin and was initially reported by BleepingComputer, an ICT security website. A vulnerability in the code used by the plugin allowed attackers to insert redirects to unwanted sites. Visitors trying to visit the affected sites were sent (via a few intermediate sites) to scam websites.
The scam sites then use social engineering techniques to trick visitors into sharing their personal information. One site, for instance, told users that there was a ‘security flaw’ with their computer and that they should call a (premium rate) phone number in order to resolve this.
This scam is just the latest in a long line of scams that have affected the WordPress platform. Previous attacks on other plugins, such as the Social Warfare and Easy WP SMTP plugins, also injected codes into sites that redirected visitors to scam websites.
Some of these scams go further. A significant concern among WordPress developers is that an increasing number of fake plugins are designed to introduce security flaws in WordPress sites. Back in 2017, for instance, a phony plugin called X-WP-SPAM-SHIELD-PRO was offered to site owners. This plugin claimed to be a security plugin that protected site owners from spam and other forms of unwanted correspondence.
In reality, the X-WP-SPAM-SHIELD-PRO plugin was a piece of malware. Rather than improving security, it fatally undermined the safety of the WordPress sites it was installed on. Fake plugins like this continue to appear and continue to affect WordPress site owners.
How To Protect Yourself Against Plugin Scams
The majority of WordPress users are not IT pros, and this makes it very difficult for them to spot fake or malicious plugins. There are, though, a few simple steps you can take to limit your vulnerability to scams like this:
First and foremost, only use the official WordPress plugin store, which is here. WordPress does a lot of work to check and verify that the plugins in the store are real. While the occasional malicious plugin does slip through, it is much safer to get your plugins from here than anywhere else.
If you are using a third-party host for your WordPress site, make sure you choose a good one that specializes in WordPress hosting. The best WordPress hosts should include in your plan frequent scans of your site for vulnerabilities, and keep you updated if they find your site is at risk.
Make sure that you update your plugins frequently. Popular plugins that a lot of people use are a major target of an attack, and new vulnerabilities are found all the time. Plugin authors will patch these security holes, but if you don’t update your plugins your site will be compromised.
Besides keeping your plugins updated, only use the plugins you need. Sometimes you’ll download a plugin just to try it out, and that’s fine. If you don’t end up using it, though, you should remove it from your site as soon as possible. If you don’t, you’ll forget it is there, and it will continue to offer an opportunity to hackers for years to come.
You should also make sure that you check the terms and conditions of any plugins you download. In many cases, plugins will ask for your permission to collect data on your site, and users will give this to them without knowing they are doing so. When this data turns up somewhere else, they will think that they have been hacked, but they haven’t: after all, it’s not a data leak if you give your consent.
Identity and Data Theft
The consequences of scams like these can be enormous, and not just for the owners of websites. Fake websites can be used to steal personal information, and ultimately to allow attackers to perpetrate identity theft.
For site owners, the consequences of falling victim to a fake plugin scam can be even worse. In some cases, an attacker can lock owners out of their own sites, and demand a ransom to return this data. In smaller attacks, a hacker might steal the personal information that a site owner has collected on his or her customers, and sell this for a profit. This type of attack won’t affect the site owner directly (and in fact, they might not even notice), but will hugely damage their reputation if the data leak becomes public knowledge.
Spotting a Scam Plugin
When it comes to spotting a fake plugin, you should use the common sense that keeps you safe from other types of scams. If a plugin seems too good to be true, it probably is. It’s also a good idea to do a quick Google search for any plugin you are thinking about using, because news about vulnerabilities will appear quickly on message boards and the tech press.
Suspicious Activity on WordPress: How To Report
Let your family and friends know about this article by sharing it on social media using the buttons provided. You can also officially report the scammers and suspicious activity on WordPress to the Federal Trade Commission using the link below:
How To Protect Yourself More
If you want to be the first to find out the most notorious scams every week, feel free to subscribe to the Scam Detector newsletter here. You’ll receive periodical emails and we promise not to spam. Last but not least, use the Comments section below to expose other scammers.