pexels pixabay  scaled

Supply chain assault backdoored over 90 WordPress themes and plugins

In a supply chain assault, 93 WordPress themes and plugins were found to include a backdoor, giving hackers complete access to websites.

At least 40 themes and 53 plugins from AccessPress, a popular provider of WordPress add-ons, were stolen by hackers.

Jetpack, a security and optimization tool for WordPress, determined that a backdoor in the themes and plugins had been inserted into the PHP code.

Security researchers suspect the AccessPress website was compromised by an outside threat actor in order to spread malware across WordPress installations.

Complete control is given through a back door.
Administrators who used a compromised version of AccessPress created a new “initial.php” file in the theme directory, and the actors inserted it in the main “functions.php” file as soon as the site was up and running.

It contained a base64 encoded payload that was used to insert a webshell into the “./wp-includes/vars.php” file.

Decoding the payload and injecting it into the “vars.php” file allowed the threat actors to take control of the compromised site from a distance.

Because the virus deletes the “initial.php” file dropper to hide its presence, the only method to catch it is through a core file integrity monitoring solution.

A threat actor leveraged the backdoor to send users to malware-dropping and scamming sites, according to Sucuri experts who studied the incident. It was therefore not a complex campaign.

For profiting from a large-scale infection, it is probable that this virus was used to sell access to backdoored websites on the dark web.

How am I feeling?
Removing/replacing/updating a compromised plugin or theme from your site will not remove any webshells that may have been implanted through that component.

As a result, website administrators are urged to do the following checks:

In particular, pay attention to lines 146-158 in your wp-includes/vars.php file. Because of the code that appears in the function, you’ve been hacked.
Affected files can be found by searching your file system with the terms “WP is Mobile Fix” or “WP Theme Connect.”
Replace your core WordPress files with fresh copies.
Switch to a new theme and update the plugins that are causing problems.
Change your wp-admin and database passwords.
It is possible to check if a site has been infected with both the dropper and the webshell using the YARA rule offered by Jetpack.


Toulas, B. (2022, January 21). Over 90 WordPress Themes, Plugins Backdoored In Supply Chain Attack. BleepingComputer.

1 thought on “Supply chain assault backdoored over 90 WordPress themes and plugins”

  1. Have you been able to check that my website is clean and not hacked from a backdoor attack as described in this article? With frequent hacker attacks, at least 17 a day, from around the world, I am confident that your constant watch over my site is protecting it.

Comments are closed.