New License Key Vulnerability Identified in WordPress

We live in an era in which new technology comes out at a rate at which security features against new exploitation is unable to keep up. Every time some new tech explodes to popularity a whole host of security issues comes with it. The latest attack comes in the form of an exploit of the WordPress License Key portal which is done by exploiting the License Key Vulnerability.

WordPress is an immensely popular service with use, figuratively, all across the world. WordPress’ ascent into stratospheric popularity could be attributed to its easily handled UI, in-budget price and a clear-cut option for the web development. But it has also put it in the crosshairs for a whole host of hackers and cyber-criminals. It will be important for a lot of people to understand what is going on, so let us take a look at the situation.

Is your WordPress site hacked? Chat with us now on the chat widget, and we'll be happy to help you.

License Key Vulnerability in WordPress

A website getting hacked is, honestly, a nightmare for a site owner. And it’s never been more pronounced than with the easy to design websites offered by services like WordPress. The usability factor makes them more vulnerable since the majority of WordPress users don’t have any history of coding or a rigorous understanding of how it would be that a cyber-criminal can get in and what they need to do to ensure that it doesn’t happen.

The consequence of this is that you have a massive user-base with a disproportionately small understanding of website design and security. This is, further, validated by the fact that 9 years ago 120,000 sites were hacked in a single year. Since then, the number has only gone up. It’s a vulnerable service with a vulnerable user-base and the spread of information is one of the few ways that people will be able to overcome the potential threat an ensure safety for users no matter what their background is.

Related Article: The ultimate WordPress Security Guide

Why Are There Hacks?

A huge amount of e-commerce use WordPress, and e-commerce by far is the favorite of the hackers. If a hacker can use a bot to identify a vulnerability in an e-commerce store, they are way more likely to be able to benefit directly, by stealing the bank account details of anyone visiting, or by raiding the company’s bank account itself.

Even though e-commerce is the most hit, websites other than e-commerce see hacking as well. We know that WordPress is extensively used for blogging by small and big websites. One of the first things to realize is that hackers rarely seek out websites themselves. Ruben Rivera, tech business writer at Australia2Write writes this as,

“Hackers use bots which crawl the internet sniffing out vulnerabilities and sending the information back to the hacker so that they can make a decision whether they are going to attempt to exploit the vulnerability. Sometimes a massive amount of the process is done by automated bots.”

The upshot of this is that, contrary to a human hacker googling websites and picking the famous ones a bot won’t discriminate in its findings meaning that a WordPress site which is just a personal blog is still at equal risk as a big e-commerce WordPress. In answer to why a hacker would bother with a small site, there are a few reasons.

  • Once a site is hijacked, cyber-criminals can use it to redirect viewers towards malicious sites with malware or spam.
  • They can also infect the site owner’s computer with viruses as well, through the site.
  • Finally, they might be looking to use it to gain access to the server as a whole, which would give them access to an enormous range of other sites and the personal details of an unlimited number of people.

The License Key Hack

One of the most recent hacks for WordPress to have to deal with is the license-key malware spam disguise exploit. As is typical of most discovered exploits it was uncovered by a team of cyber-security experts after a client of theirs reported some subtly suspicious activity pertaining to their WordPress site. Upon further investigation, it was identified as a serious and systematic exploit with unlimited potential for use on other WordPress users’ pages.

The basic breakdown of the attack is as follows.

  • WordPress has license keys which are connected to the website ‘themes’.
  • The license key was then used as a hiding place for malicious code, introduced by hackers.
  • The malicious code that was introduced was actually an injector for spam into any sites which employed the theme license key.

Though it was a smart attack, there were very few layers of coding used to disguise the malware injector, with the majority of the skill of the hack relying on undercutting expectations.

How It Worked

The hack is not especially sophisticated however it was ingenious in another sense. WordPress, as a service which by the end of 2016 was said to be employed by 75 million websites, is used to having attempted or successful violations of their site and having to deal with the same with many of their user sites. There wasn’t a complex encrypting or layering of code to try and worm its way into the WordPress core, it was simply a situation in which the cybercriminals chose an excellent spot to hide their malware injector.

WordPress would never have thought that the license keys for website themes is also a concern. And a webmaster, not being concerned about a certain area makes it a prime target for hackers. They, as a matter of fact, are looking to create some room for themselves to get inside of the website and affect the users. The underplayed nature of the encoding added a further level of surprise for WordPress and its users. Normally, with a webmaster prepared for attacks on WordPress, hackers would be required to heavily encode their cyber-weapon of choice. The surreptitious nature of the exploit camouflaged it extremely well.

Consequences

As was explained, it took a quite vigilant user who wasn’t exactly sure what he was registering, reported it to an actual cybersecurity team to expose the exploit. The interesting thing about this route is that this is a WordPress user with a good sense of how to go about cybersecurity. From recognizing the vulnerability that WordPress and its users are synonymous with, he took the time to employ an alternate form of protection by approaching a dedicated cybersecurity force. This behavior not only helped him save his own site from some particularly nasty malware, but it also uncovered a flaw which has potentially saved the sites and information of countless other users. His decision to do this is extremely wise and represents a good learning moment for other users who might now look more carefully at their own cybersecurity defenses.

It is also a moment that is important for WordPress as they navigate the difficult terrain that they already find themselves in as such a big provider of websites. It is almost certainly the case that the rate at which WordPress has grown has not matched the speed at which they have been developing and investing in their site security. Hopefully, this will be another opportunity for some re-evaluation amidst the relief that nothing particularly badly came of the attack.

WordPress inevitably eliminated the threat and shored up defenses which will leave the future hackers looking for more ingenious ways to go about tricking well-defended systems. As was shown in this instance, it’s not always the most complexly coded attacks which bring them the most success, from time to time there is a sense in which it is more about being clever and finding small holes within the overarching framework which bring them the most success and make it increasingly difficult for websites to defend themselves.

Conclusion

To conclude, though this particular WordPress exploit was nipped in the bud, it represents the overwhelmingly real threat which is presented by cyber-crime to websites. It also shows the urgency with which the imbalance of defense versus attack needs to be redressed, lest more serious and damaging attacks are allowed to be carried out. Hopefully, users will pick up, from events like this, that cybersecurity is vital.

Astra WordPress Security Suite, tailored for WordPress, provides a complete protection against License key vulnerability, XSS, SQLi, CSRF and 100+ threats. Our On-Demand Malware Scanner scans a website and flags the exacts files where the malware can be. Further, it takes only 10 minutes for the first scan and even lesser for subsequent scans. Get an Astra demo now!

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Michael Dehoyos

Working as a security marketer and editor at PhdKingdom, Michael Dehoyos helps companies create effective security strategies. He is also passionate about sharing his knowledge and expertise in cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close