Update September 16th 2017 : I’ve released a Free Security […]
Continue Reading Display Widgets Plugin Review
I’ve been using Display Widgets for years. Upgraded continuesly aside from the last version.
The only way I could see something was up when I click to see “details”. Then I saw the plugin had been deleted. I figured something was wrong. Googles, got to wordfence then your site.
WP Plugin team have a real issue here. Merely deleting the plugin form the repository will do nothing for anyone currently with it. Only make the spam worse. A simple warning text when trying to updated it would do – I don’t think it’s complicated.
Next, thank you very much for your hard work in bringing this to fruition.
I deleted the plugin. Reinstalled version 2.5. Is that enough to ensure any malicious code has been removed?
I plan to switch over to another plugin once I know the above
Thanks for Your Work Regarding the Display Widgets Plugin!
I’ve released a Free Security Update/Upgrade of the Display Widgets Plugin which is called v4.0.0 and is malicious code free and extends the widget logic features. I’ll be supporting the new version with new future updates: it’s not going in the WordPress Repository so I’ve added a custom update library (updates from my server not the WordPress plugin repository).
I couldn’t agree more about the plugin team having a real issue here, the Display Widgets plugin has really highlighted failings in their system, a system best described as putting out fires rather than fire prevention: I emailed them over a dozen times about this plugin and they missed the malicious code at least twice when they rechecked the code!!!
The Display Widgets plugin isn’t even a big plugin, the hacked versions were two files, one containing pretty much the original 2.05 code and the geolocation.php file that was 50% tracking code and 50% malicious code (to create a dynamic post to hack sites). I’d hate to think what could be hidden in some of the huge plugins (dozens of php files) in the repository!
I’m just a WordPress user like you and noticed the tracking issue, but wasn’t looking for malicious code, the plugin team should be looking for this sort of thing when a new developer with no track record has consistently broken the plugin repository rules over and over again with a plugin they paid money for: that should have rang alarm bells, a business doesn’t buy a plugin without a plan to monetize and free plugins are difficult to make money from.
This is a case study of incompetence, they missed the malicious code at least twice, missed user reports (including a trac ticket) of malicious code, took days to release the v2.7 update and still haven’t forced a upgrade meaning there’s tens of thousands of WordPress sites running vulnerable 2.6 code which THEY are responsible for allowing in the repository!
Regarding hacked sites, I wrote a comment about how to clean a site at How to Clean a Hacked WordPress Site.
I’m still not sure how much damage the hacker has done to WordPress sites, so don’t know how much to worry about this.
Display Widgets Plugin v4.0.0 Release
Hi Dave, great work on spotting the issues with the original plugin, I was actually unable to update from within WordPress which lead me here, i had already started migrating sites to your version before all this happened. I now find myself wondering what to do as you have removed your version, I understand your reasoning why but I think now is the time everyone needs to migrate over to your plugin and for that to happen it needs to be on the repository.
For the sake of us WordPress users i hope you reinstate the plugin. For now I have just downloaded the latest version of your SEO version 3.0 from the repository (I’ts still on there: https://downloads.wordpress.org/plugin/display-widgets-seo-plus.3.0.0.zip) and will update any sites running the standard version to this. i like many other hope you carry on working on the plugin and hope to see it back on the main repository soon as there is no good alternative.
Thanks for all your hard work.
Thanks for your work!
i have installed version 4.0
But after delete or update the hacked version i have problems with login (cookie problem) and other actions like a white site after save a site and many more.
Is there anything else, what the hacked version changed?
Sorry to hear of the problems.
In principle yes the hack could have compromised your site in other ways.
I never installed the Display Widgets Plugin v2.6.* on a live site, only tested it in Localhost, so have no examples to look at beyond the “displaywidgets_ids” example I’ve pasted below (that was from my localhost test install).
The Display Widgets plugin v2.6.* adds a database option in the “wp_options” table looks like this:
This in itself doesn’t cause any harm per se, but the entry and the plugin code allowed the developer to add a dynamic post into your database.
I don’t have an example of what this looks like, but understand it includes the name of the plugin “Display Widgets” and would assume it’s also in the “wp_options” table.
I’m afraid it’s a case of going through the database to see if anything stands out, for most WordPress sites the wp_options table tends to be below a few hundred entries so doesn’t take too long to look through. You are looking for anything that mentions Display Widgets or displaywidgets.
If the hacker went as far as to add one of these dynamic posts into your database there’s no reason why the entry couldn’t include other malicious code.
So basically they add a database entry which the malicious plugin (v2.6.*) uses to make a dynamic post database entry, but it could also be used to do other malicious things to your site. They could add all sorts of vulnerabilities to add backdoors.
The best advice would be to use a backup from before you installed the v2.6.* code, but that could be a backup from over 3 months ago!!!
Even though I have regular backups, if I had installed the malicious code I couldn’t go back three months (would loose important articles/comments), so would have to go with a manual security clean. I wrote a comment about what I’d do with the sites files at How to Clean a Hacked WordPress Site.
Now I know a little more about what the backdoor hack does I’d also go through the database looking for options related to displaywidgets (did this in my localhost test installs, found nothing).
The person/people behind the malicious code has been doing this for years, they own loads of sites related to payday loans, finance, gambling… and have been hacking sites for years (found one mentioned on the WP forums from ~4 years ago) to add SEO link SPAM (they have a very well thought out SEO link SPAM program: I’m impressed). To put things into perspective the main suspect is in his early twenties and lives in a property that was bought in December 2016 for over £750,000 and they say black hat SEO techniques don’t work anymore :-)
BTW Before doing anything I’d look through your sites log files for errors, white screen suggests a 500 error. The logs can point you in the right direction.
If you find it difficult to access your log files you can also get WordPress to output a “debug.log” file by adding this to your “wp-config.php” file:
Download the “wp-config.php” file via FTP to your computer, edit it with a text editor.
Find this line:
$table_prefix = 'wp_';
Might not be ‘wp_’, doesn’t matter.
Below it add
define('WP_DEBUG', true); define('WP_DEBUG_LOG', true); define('WP_DEBUG_DISPLAY', false);
when there’s errors it creates a file under:
“example.come/wp-content/debug.log” this file is publicly available (anyone can read it).
Browse through your site and check the file (can load it in a browser).
After finding and fixing the errors modify the code to:
#define('WP_DEBUG', true); #define('WP_DEBUG_LOG', true); #define('WP_DEBUG_DISPLAY', false);
Adding # comments out the code so it won’t run, but it’s in the file for next time (just remove the #s to check for other issues).
Also go to “/wp-content/” and delete the “debug.log” file, error notifications can be used by hackers to test for vulnerabilities, so you don’t want an easy to find log file left behind.
If you want to harden WordPress a little also add this to the “wp-config.php” file:
# Disable Editing in Dashboard define('DISALLOW_FILE_EDIT', true);
This turns file editing under your Dashboard off: this assumes you don’t edit plugin and theme files under your Dashboard (which you shouldn’t do as there’s no backup).
Display Widgets Plugin Vulnerabilities
I cannot say enough how grateful I am for your research and detailed explanation. WordPress seriously needs to re-evaluate how they deal with abandoned plugins and problem plugins like this. At this point, we don’t know if a plugin just doesn’t have an update or was abandoned without researching each an every one regularly. Thank you again!