Infiltrated Wordpess.com accounts used to install rogue plugins on self-hosted sites
News Courtesy of Wordfence.com:
Our customer service team raised the alarm about a problem several users have had in the last few days. They all reported a malicious plugin named “pluginsamonsters” suddenly installed on their site. They learned about the problem thanks to an alert from Wordfence.
Our team has investigated these compromises and in this post we will describe how the attackers are gaining access and what you can do to prevent it from happening to you.
File this under the weak passwords category. This is not a hack or breach of WordPress’s systems. Rather, it is a matter of hijacking credentials for wordpress.com and utilizing jetpack to install a spam plugin on linked self-hosted websites. The most common trend sees usernames and passwords that were discovered through data breaches of other systems and then using that information to see if those credentials match up with a WordPress account. Since many people like to use the same username and password combination across multiple platforms, there was bound to be success in this method of attack.
The simplest fix is to make sure you use a unique and strong password for WordPress.com. This is especially true if you are using Jetpack and have linked sites. So far, it seems that these rogue plugins are just a method of spamming or phishing. In most cases, there was no further exploitation of the infected sites or damage/loss of data. Removing the plugin seems to end the threat on that particular installation. Of course, if you’re aware of a previous data breach that contained your login credentials, it should be common sense to change any similar username and password combinations immediately.