Over 90 WordPress themes and plugins would have been found vulnerable - find out if your site is involved and find instructions to eliminate the backdoor. While investigating possible malicious activity on WordPress, Automattic security researchers uncovered a far more troubling problem. It turned out, in fact, how all AccessPress Themes productions (themes and plugins) have been hacked and their products have therefore become possible rams for the bad guys who have managed to get their hands on them. Hacked WordPress, plugins and themes The problem would be serious for two reasons: the inoculated code would allow you to take full control of a hacked website and the sites involved would be over 350,000 (over 90 vulnerable topics). The investigations led to immediate confirmation: the violation would have occurred since last September without the knowledge of the affected group - and used as a conduit for new and further attacks. As for the plugins, the codes have been cleaned up and with a simple update the problem is solved. Those who have adopted one of the AccessPress themes, on the other hand, can not help but change the theme and avoid leaving the vulnerability standing on their site. According to the Sucuri analysis, the violation would be monetized by the bad guys through redirects on sites specially designed for scams or other fraudulent attempts. To understand if you have been involved in the problem, just analyze the wp-includes / vars.php file: if you find a "wp_is_mobile_fix" function with some obfuscated codes, then the compromise has occurred and it is necessary to intervene to eliminate the dangerous backdoor evidently present. In this case, each instruction is available on the appropriate page.Giacomo Dotta Malware and virus security
In many WordPress themes and plugins, developed by AccessPress, a backdoor has been inserted that allows you to gain control of websites. WordPress Automattic security researchers found that many themes and plugins developed by AccessPress were compromised and replaced with versions containing backdoors. This happened in September through a "supply chain attack". According to a first estimate, the problem affects around 360,000 WordPress-based sites. Backdoor into AccessPress themes and plugins A "supply chain attack" allows you to access the site hosting the software and replace the original version with an infected version. The code of the backdoor discovered by Automattic is present in 40 themes and 53 AccessPress plugins distributed by the official website. The versions published in the WordPress.org repositories have not been compromised. Sucuri experts have verified that the backdoor allows you to take control of the sites. The code was added to the initial.php file copied to the theme root directory. The backdoor webshell is written to the ./wp-includes/vars.php file. After installing the backdoor, the initial.php file is deleted to hide the traces. However, a file integrity monitoring tool can detect changes made to the vars.php file. The backdoor was used to distribute spam and open sites with malware. Probably the perpetrators of the attack sold access to sites on the dark web. To check if the site has been compromised, the “wp_is_mobile_fix” function must be searched for in the vars.php file. If successful, you need to replace all core WordPress files and download AccessPress themes and / or plugins from WordPress.org or choose alternative solutions.