Having a WordPress website is fantastic, but there is still a fight between the good guys and the bad guys in the digital world… Doesn’t it sound like a movie plot? However, this is a reality! Security researchers and developers, on the other hand, want to keep the website secure. And the bad guys – hackers and spammers – try to use it for malicious purposes without permission.
While you’re reading this, an attacker is attempting to gain unauthorized access to a WordPress website by exploiting a flaw in a plugin.
Security researchers discovered a persistent cross-site scripting (XSS) flaw in the WP Live Chat Support plugin in April 2019. This tipped the bad guys, aka hackers, to exploit this vulnerability and inject malicious scripts into a website, allowing them to take control of it. WP Live Chat Support is a WordPress plugin that serves as a free alternative to other fully functioning live chat support plugins that are designed to increase interaction and conversions. There were over 60,000 active installations of the plugin, putting thousands of users at risk.
What was this vulnerability and how does it affect you?
An intruder may use the WP Live Chat Support plugin’s vulnerability to launch cross-site scripting (XSS) attacks on the target website.
The hacker injects a malicious script or code on your website without your knowledge in an XSS attack. This code can then collect user data (oh no! ), modify your website’s content, or redirect users to another compromised website. Persistent XSS occurs when a hacker successfully injects his or her code into a portion of your website that is stored on the server (for example, user comments).
‘Persistent,’ since the browser executes the malicious code any time a user loads the infected webpage, completing the assault.
We all know how important site security is to search engines, especially Google. As a result, any such flaw would have a negative effect on your SEO. Not only that, but it also undermines the users’ confidence. In the worst-case scenario, you might lose access to your website or have your web hosting account revoked due to spam links and malware on your site.
The fact that this vulnerability does not need any authentication and can be abused by users who do not even have an account on the infected website makes it a big deal. Since no authentication is needed, it is simple to automate the attack to affect a large number of sites, in this case over 60,000!
The attack
Because of an unsafe ‘admin init hook,’ the assault is probable. When it comes to WordPress plugin attacks, this is where the vast majority of attackers begin their attacks.
Let’s start with an explanation of what a hook is. A hook is a way for one piece of code to communicate with and modify another piece of code. When anyone visits the site’s admin page, WordPress normally calls this hook. Developers may use this hook to call various functions at that stage. The problem is that the hook does not require authentication, so anyone who visits the admin URL can run the code. The admin hook for WP Live Chat calls the wplc head basic action, which does not check the user’s rights and simply updates the plugin settings.
This flaw can be exploited to update the wplc custom js JavaScript option, which controls the content displayed by the plugin whenever the live chat window appears. Consider this: the live chat widget follows the user across your website on almost any page he or she visits, making it easy for hackers to target multiple sites with this process!
So, how do you keep your site safe from this?
The WP Live Chat Support plugin’s developers have provided a patch that addresses this vulnerability. As a result, the only way to avoid having your website hacked is to update it to the most recent edition.
Any version after 8.0.27 is stable, but we still suggest that you upgrade to the most recent version on a regular basis. The most recent update is 8.0.33, which is available for download.
Step 1: Get the plugins and themes only from trusted sources!
Isn’t it tempting to download the premium plugin for free from a website or a torrent file? Perhaps you’re considering the premium features and how much money you’ll save… err… or would you, really?
When you download plugins from untrustworthy sites, you acknowledge the possibility of malware or viruses infecting them. Although you could save a few dollars on that premium plugin, you may end up spending thousands of dollars trying to restore your website, if that is even possible. As a result, only instal plugins from reputable sources, ideally an authenticated organization, and make sure they’ve been vetted for malicious code by experts and community members.
Plugins for the WordPress market place that you can trust:
- WordPress
- CodeCanyon
- PickPlug-ins
- Mojo Marketplace
- MyThemeshop
- Themeisle
- ThemeForest
Step 2: Get a reliable security plugin
For all of its websites, WordPress has a fairly good protection framework in place. A vulnerability like the one described above, on the other hand, can bypass all security checks and pose a threat to your website. As a result, a security plugin is necessary.
When it comes to protection plugins, get one that doesn’t just search your website for vulnerabilities after a suspicious attack, but one that constantly ensures your site is safe and stable all of the time. You need a plugin that provides 24/7 malware scanning, malware removal, WordPress firewall, and website maintenance… all in one package, at an affordable price!
MalCare is a plugin that was created with these concerns in mind, and it ensures that your website’s defenses are still active.
Malware scan:
MalCare searches the website for over 100 signals in addition to signature authentication. This allows it to detect malware more effectively than any other plugin on the market. It can detect even unidentified malware whose signature isn’t in any database.
MalCare syncs with your entire site and monitors any changes 24 hours a day, 7 days a week. Any unauthorized change is tracked to its exact location, which aids in finding the malware’s source. Even though MalCare monitors your site 24 hours a day, there is no pressure on your server because MalCare scans all files on its own server. With us, the website will never slow down!
By simply defining a schedule in the settings, MalCare will conduct regular automatic scans. You can also run unlimited on-demand scans whenever you like and be alerted immediately if malware is detected.
We also understand how frightening and inconvenient it is to receive a warning that your website is compromised only to discover that it is not the case. This is also taken care of by MalCare. It has the fewest false positives in the industry, which means we only alert you after a comprehensive search.
Malware removal:
In less than 60 seconds, MalCare’s one-click malware removal will have your site malware-free!
When MalCare removes malware from your website, it has no effect on it. If a file is corrupted, MalCare removes only the infected portion of the file, leaving your data unchanged. And if MalCare is frantically removing malware in the backend, the website will never go down.
MalCare will never infect your site again after it has identified and removed a specific malware. At any time. We can assure you of that. MalCare knows how to protect your website from a similar assault and malware if it wants to return, much as your body knows how to stop chickenpox after you’ve had it. You are now immune to future attacks.
Firewall for WordPress:
Wouldn’t it be awesome if you could hold the bad guys out and just let the good internet traffic in? This is just what the MalCare firewall does, and more!
This firewall monitors your incoming web traffic 24 hours a day, seven days a week, and compares it to a list of known malicious IP addresses in its network, preventing harmful IPs from accessing your site. It becomes impossible for an attacker to target your website if he is unable to gain access to it. Geo-blocking is also supported for added protection. You also get CAPTCHA-based login security with MalCare, which protects your website from brute force attacks. You will be informed immediately if MalCare detects any unusual logins, allowing you to take appropriate action.
We also provide two-factor authentication, which means that no one can access your website without a valid password and code.
Website Management:
All of your plugins must be updated to the most recent edition. As we’ve seen, the most straightforward way to protect yourself from the WordPress Live Chat Support plugin vulnerability was to fix it as soon as the developers released a patch. All of your themes and plugins will be updated for all of your websites using MalCare’s management software. You can update core changes, upgrade WordPress, and review PHP versions on your websites using the WordPress core manager.
In addition, if you want to grant a customer access but don’t want them to mess with the site’s features, MalCare’s management tool allows you to allocate unique user roles and access permissions so that no one makes unintentional changes. All of your websites allow you to easily add team members and clients.
Furthermore, MalCare allows you to manage an infinite number of websites.
Furthermore, you can monitor your website’s uptime, receive downtime warnings via Slack, and perform a performance review. You will save time by gathering all the data and having the insights centralized with superior, on-demand, and scheduled client reporting.
And you can do anything from a single dashboard!
There should be no compromises when it comes to web protection. After all, the website serves as your digital identity. Malware, bugs, and hackers should not be allowed to damage it in any way. MalCare will safeguard the website against all attacks, both present, and potential. For as little as $8.25 per month, you can get world-class protection! Many of the features listed above are included in every package at no additional cost.