Viruses, malware, etc have been increasingly exploiting vulnerabilities in many commonly used WordPress plugins to infiltrate sites that run these extensions as part of their CMS. These plugins make our lives easier by giving us analytics, optimizing SEO, helping with email, and much more. Hackers, spammers, and more know this and constantly attempt to use the plugin’s faulty code to get into your site. They use the plugin’s own programming to get into your site and perform tasks like skew search results, negatively affect your performance, and even take over your site. Below, we will show you which popular plugins have succumbed to these types of attacks.

1. Jetpack by Automatic

According to this thread on WordPress support, malware is affecting the search results when you search for a Jetpack plugin from your WordPress dashboard. Those who have Jetpack installed may find that the plugin skews your search results in favor of plugins created by Automatic, the makers of Jetpack.

For example, a search for “optimize” will turn up tools by Jetpack. Today, we searched for “optimize” from our dashboard without the Jetpack plugin installed and found in this order:

  1. WP Optimize by David Anderson, et al.
  2. Autoptimize by Frank Goossens
  3. SG Optimizer by SiteGround
  4. Smush Image Compression by WPMU DEV

Other searches with Jetpack have yielded different results. There is a debate as to whether or not this underhanded promotion violates WordPress plugin policy that is yet to be resolved.

2. Yoast SEO by Team Yoast

This popular plugin has over 5 million installs and a five star rating from over 26,000 users. It is used to edit meta data, optimize pages and posts, and much more. However, a recent problem arose with the speed and performance of the extension. The call to Yoast has been found to slow the site down when it is active and does so without permission. The issue was found in Yoast SEO version 10.1.1 and was not fixed until version 10.1.3.

The good news is you may update the plugin right away to correct the issue.

" An exploit (from the English verb to exploit, meaning "to use something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack. "

— Wikipedia

3. WP Google Maps

Those who don’t want to use a standard embed code for their Google maps turn to this plugin. With over 400,000 users, the plugin allows you to create custom Google maps with markers, categories, links, and more. A vulnerability was discovered this week that may allow programs to take control of your website. We highly recommend that users update to the latest version as soon as possible and run a security scan for malware. Failure to update the extension can potentially expose your site to an SQL Injection attack. WP Google Maps versions 7.11.00 through 7.11.17 are vulnerable.

4. Easy WP SMTP by wpecommerce, alexanderfoxc

Those who want to send and receive emails from their site such as form notifications use this plugin to route emails through their preferred SMTP server. It has over 300,000 active users and was recently found to be exploited. Vulnerabilities were discovered that allowed outside users to modify a site’s WordPress options to insert malicious code along with other unauthorized commands. This vulnerability was found in version 1.3.9 with an update to fix this hopefully coming soon.

Attacks like these happen all the time. This is why it is important to update your plugins on a regular basis, run security checks, and have backups of your site on hand just in case the worst happens.