Home > Internet > Hackers target another WordPress plugin flaw to install backdoors and create admin accounts

Hackers target another WordPress plugin flaw to install backdoors and create admin accounts

Have you noticed that your WordPress site has been hacked again recently? Have you found malware, trogans, mailers and rogue files in almost every folder? Yes you and 1000’s of other WordPress users I’m afraid, however my main concern is for the 1000’s of WordPress users who never do a malware scan or whose people and companies who don’t even realise that the city centre web design agency they paid £1000’s to for a so called professional website simple installed WordPress and didn’t even tell them leaving them vulnerable to things like this.

So what’s happend, again!!!! A recently discovered vulnerability in a popular WordPress plugin is being actively exploited in attacks by hackers attempting to install backdoors on websites, inject custom code, and grant themselves admin rights.

The flaw existed in a version of the AMP for WP – Accelerated Mobile Pages plugin, designed to make webpage load faster on mobile devices.

AMP for WP mysterious disappeared from the official WordPress plugin repository on 21 October, with its 100,000+ users greeted with a message saying:

“This plugin was closed on October 21, 2018 and is no longer available for download.”

An update on the developers’ blog, however, claimed that the plugin’s withdrawal was “just a temporary situation” that would be resolved in a “couple of days” once a security vulnerability had been fixed.

The blog post didn’t share much details about the plugin’s security vulnerability other than to say it “could be exploited by non-admins of the site.”

In an apparent attempt to reassure users, the developers said that existing users could continue to use the plugin while they worked on a fix.

Hmm. A plugin has a vulnerability but carry on using it? That doesn’t sound like great advice to me.

Security researchers at WebARX shared more details of the problem last week, after a fixed version of the plugin was finally released.

The researchers explained that vulnerabilities in AMP for WP allowed unauthorised users to change any plugin option, and could even inject malicious code (such as malvertising or cryptomining code) onto the website’s pages.

The existence of the vulnerability is bad enough, but now researchers at Wordfence say that they have seen it being actively exploited in conjunction with a XSS (cross-site scripting) bug to create new admin user accounts with the name “supportuuser” (of course, the attack could change to use other account names).

If your website runs a self-hosted edition of WordPress then it is essential it – and any third-party plugins – are kept updated. At the time of writing, the latest version of AMP for WP is version

Self-hosting your WordPress site has its benefits, but the biggest drawback is that the onus is put on you to keep it up-to-date with the latest patches and updates (or find yourself a managed wordpress host who is prepared to take it on for you). New vulnerabilities are frequently found in the software and its many thousands of third-party plugins – so it’s not something that you can afford to ignore.

My advice? Enable automatic updates wherever possible or if you can afford it go bespoke and only use WordPress for blogs, the use it was actually designed for and the thing it’s great at.

Left unattended, website running a self-hosted edition of WordPress can be easy pickings for a hacker, potentially damaging your brand, scamming your website’s visitors, and helping hackers make their fortune. WordPress is a great DIY tool, it’s a great blogger platform but nowadays there are simply too many amateur web designers and telesales driven web design agencies using WordPress to churn out quick, cheap websites without knowing anything about security or the web design industry in general.

The ability the click on a button that says install WordPress does not make someone a web developer and hackers know this and hope that your install has been done by one of these amateur have a go web designers. Even with a professional install the open source nature of WordPress makes it a hackers target and this is the reason that we insist that own own clients running WordPress sign up to one of our maintenance packages where we backup your site each months, do security updates and perform regular malware and virus scans.


  1. This is why I stopped using wordpress for my business website, constantly hacked no matter how updated i kept it, it became a weekly battle….. The article is correct about the 1000’s of oblivious people who don’t even know they have been hacked…..they are the ones that say “My WordPress site has NEVER been hacked” and allow spammers to send phishing emails from their domain and host password/info collecting page on their sites…..

  2. This is true, there are 100’s if not 1000’s of legitimate websites out there hosting phishing scripts and password collection pages, the site owners are oblivious because they don’t know how to keep their sites secure and many of these companies don’t even realise that their “professional” ‘cough’,’cough’ web designer simply installed WordPress then handed them a bill for web development….

  3. What are you on about “The ability the click on a button that says install WordPress does not make someone a web developer” it’s a lot more involved than that, you need to installed your theme and your add-on too…. WordPress is the best, What do you use for your websites then? Joomla, Concrete CMS, these are crap…idiot…

    • Keyadmin

      “Johnnyvus” You are the “Idiot” my friend… Professional web developers use something called code, who do you think wrote WordPress in the first place, do you think it is magic…. No it’s written in a server language called PHP…. If people like you are using WordPress to sell people web design services then it’s idiots like you who are causing the problems illustrated in this article and god help any of your unfortunate clients.

  4. This is the problem these days… 1000’s of have a go web designers flooding the industry who don’t have a clue what they are doing thinking they have discovered the perfect business model installing WordPress for unsuspecting businesses who think they have employed a professional web developer.

    These clueless businesses end up with poorly installed sites open to hackers who use them to send spam and host phishing forms..

    • Keyadmin

      You are spot on Ian… I’ve been a web developer for 19 years and seen and increase in these have a go designers in recent years… TBH I only use WP for blogs, like this one, that’s what WP was designed for, even so, its secure and scanned for malware daily… My business clients get bespoke code after all that’s why they come to a professional developer….Make me cringe when i here of a company paying 4 figures for a WP install

  5. So True.. The rise in the number of amateur “have a go” web designers who believe that the ability to install WordPress makes them a professional developer has made it a lot easier for the hackers to install malware and phishing pages on innocent website… however, as pointed out by “Keyadmin” the real victims are the companies who unwittingly use amateur developers like “Johnnyvus”

Leave a Reply

Your email address will not be published. Required fields are marked *