What We Can Learn About Backdoor Attacks From WordPress

WordPress Backdoor Attacks: What We Can Learn

Millions of organizations world-wide rely on WordPress for website creation and management. In fact, currently there are over 75 million sites that use WordPress for their operations. The Walt Disney Company, BBC America, Microsoft News, The Rolling Stone - all of these big name brands rely on WordPress website creation to run, which also makes them a desirable target for bad actors. 

Unfortunately, WordPress finds their network subject to data breach activity, specifically through backdoor attacks. Without proper security controls and monitoring technology, WordPress sites continue to experience backdoor attack activity, which is frustrating for organizations using the website software. There are ways to protect your network from threat actors aiming to plant backdoor attack vulnerabilities, which we will dive into after a quick explanation of this type of threat. 

What is a backdoor attack?

In general terms, a backdoor attack is a type of breach where hackers install malware that can surpass a network’s normal security requirements and authentication by deceit and proper hiding. Whereas some cyber attacks are more obvious and noticeable (like a ransomware attack or phishing attempts), backdoors are designed to be subtle, and hide within another form of software like a file converter, software update, or suggested download. 

Once a backdoor is installed on your network, it’s common for attackers to lurk around undetected for as long as possible to increase the spread across your network. Once detected, it can be hard to know if you truly have patched all of the areas a backdoor may have reached.

WordPress Vulnerabilities, and the Unfortunate History of Backdoor Attacks

On March 28th of 2021, WordPress announced the script language PHP, used to create all their domains, had been hit with a backdoor attack including a remote code inserted into an edit of the PHP script. The code, when inserted into a website’s language in a minor update, potentially opened the doors for hackers takeover any PHP website remotely. 

WordPress has experienced many backdoor attacks over the years, mainly because of the frequent updates pushed to WordPress networks, the acceptance of plugins and extensions by the host organization, and the lack of firewall protection from the WordPress network. Backdoor attacks on WordPress sites, or any networks for that matter, can present themselves in the form of:

  • A hidden file that redirects visitors to another site
  • Hidden access to the WordPress site as a fake administrator
  • Spam emails made to look like they’re coming from a real WordPress website
  • And much more...

The March attack on WordPress occurred just weeks after the breach of Microsoft Exchange targeted government agencies as well as thousands of organizations globally, many of which have undetected backdoor attacks present on their network even if they’ve already patched their systems post-breach. 

Backdoor attacks are present more than some security managers believe. The hidden nature of the attack lets malicious actors go undetected for a dangerous amount of time so when vulnerabilities are detected it’s hard to know where they end.

Protecting Your Network From Backdoor Attacks

It might feel impossible to fight off the possibility of hidden threats from every corner of your network, but there are best practices that can reduce the risk of backdoor attacks successfully targeting your network. With automated technology to support your cybersecurity risk program, as well as consistent maintenance of best practices with your team and vendors, you can reduce the risk of backdoor attacks. 

Fast-acting cybersecurity best practices

Backdoor attacks often target individual employees with phishing emails, suggested plug-in or software downloads, and other techniques potentially preventable with the right training. Establishing company policies including cybersecurity training, and even including it in your employee contracts can help ensure your team is taking every step they can to protect your network, and in turn your reputation and business performance

Network scanning to gain a complete picture of risk

Relying on point-in-time assessments and self-reported cybersecurity updates from your vendors can allow backdoor attacks to sneak into your network. What happens outside of the timeframe that your vendor assessments take place? Are your vendors rushing to notify you that their network has vulnerabilities, or are you finding out through your own research?

With continuous monitoring technology, you can stop worrying if you are properly protected against backdoor attacks, and instead can monitor your network with your own needs in mind. Continuously monitoring your network can help give you a full view of where the risks live in your network and alert you to any vendors that are presenting vulnerabilities. Identifying some of the symptoms of a backdoor attack without having to wait for your vendor notifying your security team can help remediation happen more efficiently and reduce risk across your entire business.

Have an action plan when problems arise

It’s not enough to just monitor for risky areas or indicators of a backdoor attack, but also critical to establish remediation strategies to patch your systems efficiently. Backdoor attacks can lead to hidden areas of risk on your network, that might not reveal themselves for weeks, months, or even years. The quicker you work to combat the areas of risk in your network, the less time threat actors have to further explore your systems.

This can be tricky when working with vendor risk if there isn’t a remediation plan in place because it leaves room for unclear responsibilities. Including an agreed upon strategy in your vendor contracts is a great way to proactively handle future threats. Bitsight for Third Party Risk Management also can help facilitate the remediation process with the Enable Vendor Access feature in the portal. When a vendor’s Security Rating changes, or if a specific risk area is concerning to your vendor security team, you can grant access to your vendor to see their rating breakdown within the Bitsight portal. This view gives them increased visibility into their risky areas and can help speed up the remediation process, as well as promote better security hygiene in the long-run for your vendor. 

Attack Surface Analytics Report

Request your free custom report and see how you can start reducing your cyber risk exposure across your digital ecosystem: cloud assets across all geos & subsidiaries; discover shadow IT; security risk findings; and more!