This Vulnerability In Your WP Live Chat Support Plugin Lets Hackers Compromise Your Site!
Having a WordPress website is excellent, but in the digital world, there is always an ongoing battle between the good guys and the bad guys…sounds like a movie plot, doesn’t it? But, this is a reality! The good guys – security researchers and developers, want to keep your website safe. And the bad guys – the hackers and spammers, want to use it illegally for malicious purposes.
Let’s dig deeper…
“There is an attack on a website every 39 seconds and 98% of WordPress vulnerabilities are related to plugins”
While you are reading this, an attacker somewhere is trying to illegally access a WordPress website by exploiting some plugin’s vulnerability.
In April 2019, the good guys, aka security researchers, discovered a persistent cross-site scripting (XSS) vulnerability in the WP Live Chat Support plugin. This tipped the bad guys, aka hackers, to exploit this vulnerability and inject malicious scripts on a website, thereby taking control of the website. WP Live Chat Support plugin is a WordPress plugin, which is a free alternative to other fully functional live chat support plugins meant for engagement and conversions. The plugin had more than 60,000 active installs, which put thousands of users at risk.
What was this vulnerability and how does it affect you?
The vulnerability in WP Live Chat Support plugin allowed an attacker to carry out cross-site scripting (XSS) attacks on the target website.
In an XSS attack, the hacker injects a malicious script or code on your website without your knowledge. This code, then, possibly collects user data (uh-oh!), modifies your website content or sends them to another compromised webpage. If the hacker manages to inject his/her code on the portion of your website, which is stored on the server (Ex: User comments), it becomes Persistent XSS.
‘Persistent,’ because whenever a user loads the infected webpage, the browser executes that malicious code thereby completing the attack’
We all know search engines, especially Google takes site security very seriously. And hence, any such vulnerability will lead to a very bad impact on your SEO. Not just that, it also creates trust issues among your users. In worse cases, you could even lose access to your website or get suspended by your web host for having spam links and malware on your site.
The reason why this vulnerability is a big deal is that it doesn’t require any authentication and can be exploited by users who do not even have an account on the infected website. With no authentication requirement, it gets easy to automate the attack to affect a large number of sites, more than 60,000 in this case!
The attack is made possible due to an unprotected ‘admin_init hook‘. This is where most of the attackers start their attacks from and is quite common when it comes to WordPress plugin attacks.
Let’s first understand what a hook means. A hook is a means for one piece of code to interact with and change another. WordPress usually calls this hook when someone visits the site’s admin page. This hook can be used by developers to call on various functions at that point. The issue is that the hook doesn’t require any authentication and anyone who visits the admin URL can use it to run the code. WP Live Chat’s admin hook calls an action called wplc_head_basic which doesn’t check the user’s privileges and simply updates the plugin settings.
So, how do you keep your site safe from this?
The developers behind the WP Live Chat Support plugin have released a patch which takes care of this vulnerability. Therefore, the best solution to avoid getting your website hacked is updating it to the latest version.The best solution to avoid getting your website hacked is updating the WP Live Chat Support plugin to its latest version. Click To Tweet
Any version after 8.0.27 is safe, but even then we would recommend you to update frequently to the most recent version. The newest version is 8.0.33 and is available here.
How do you keep your site safe in the future?
Step 1: Get the plugins and themes only from trusted sources!
It’s quite tempting to get that premium plugin for free from a website or a torrent file, isn’t it? You might be thinking about the premium features and how much money you will possibly save… err… or will you, really?
Whenever you download plugins from unreliable sources, you also accept the risk of them being infected with malware or viruses. While you might save a few bucks on that premium plugin, you might end up spending thousands trying to recover your website, if at all that’d be possible. Therefore, always install plugins from trusted sources, preferably the authenticated company, and check whether they have been vetted by experts and community members for malicious codes.
Trusted WordPress market place plugins:
Step 2: Get a reliable security plugin
WordPress has a pretty effective security system in place for all its websites. However, a vulnerability like the one mentioned above can bypass all the security checks and pose a threat to your site. Hence a security plugin is critical.
When it comes to security plugins, it is preferable to get a plugin that doesn’t simply scan your website for a vulnerability after a suspected attack, but a plugin which actively ensures your site is safe and secure all the time. You need a plugin which offers 24/7 protection with malware scanning, malware removal along with WordPress firewall and website management… all in one, at an affordable price!
MalCare is a plugin developed with exactly these things in mind and it ensures your website’s defences are always up.
Here’s what MalCare offers…
MalCare scans your website with 100+ signals and goes beyond signature verification. This enables it to identify malware better than any other plugin available in the market. It can identify even unknown malware whose signature is not present in any database.
MalCare syncs with your entire site and tracks for any changes 24/7. Any unauthorized change is tracked to its precise location and this helps in identifying the source of the malware. Even after tracking your site 24/7, there are zero loads on your server as MalCare scans all the files on its own server. Your website will never slow down with us!
You can setup MalCare to perform daily automatic scans by simply specifying a schedule in the settings. You also have the option to perform unlimited on-demand scans whenever you want and get notified instantly if malware is found.
We also understand how scary and irritating it is to get a notification saying your website is infected only to find out that it was not true. MalCare takes care of this too. It has the industry’s least false positives… which means we notify you only after a thorough check.
With MalCare’s one-click malware removal, your site will be malware-free in less than 60 seconds!
MalCare does not affect your website when it cleans it of malware. If a file has been infected, MalCare intelligently removes only the infected part and leaves your data intact. Your website will never break down even when MalCare is furiously working in the backend to remove malware.
Once MalCare identifies and removes a certain malware, it can never infect your site again. Ever. We guarantee it. Just like your body knows how to avoid chicken pox once you catch it, MalCare knows how to safeguard your website from a similar attack and malware if it tries to come back. You have immunity from future attacks.
If you can keep the bad guys outside and let only the good internet traffic in, wouldn’t it be great? MalCare firewall does precisely this, and more!
This firewall tracks your incoming web traffic 24/7 against a list of known malicious IP addresses in its network and blocks dangerous IPs from accessing your site. If an attacker cannot access your website, it becomes difficult for him to attack it. It even supports geo-blocking for additional protection. With MalCare, you also get CAPTCHA-based login protection which protects your website against brute force attacks. If MalCare detects any suspicious logins, you get notified immediately so that you can take appropriate action.
Also, we have two-factor authentication that ensures no one gets access to your website without a proper password and code.
It’s essential to have all your plugins in the latest version. As we have seen, the simplest solution to being safe from WordPress Live Chat Support plugin vulnerability was to update it as soon as the developers released the patch. MalCare’s management tools will update all your themes and plugins across all your websites. Using its WordPress core manager, you can update core modifications, upgrade WordPress and check PHP version on your websites.
Also, in a scenario when you’d want to give access to a client but don’t want them to meddle with any of the site’s functionality, MalCare’s management tool lets you assign specific user roles and access permissions so that no one can make any unintended changes. You can easily add team members and clients to all your websites.
Moreover, you can manage unlimited websites with MalCare.
What’s more, you can monitor your site uptime, get downtime alerts on slack and also do a performance check for your website. With the superior, on-demand, and scheduled client reporting, you can save time by compiling all the data and getting the insights centralized.
And you can control all of it from a centralized dashboard!
When it comes to web security, there should be no compromises. After all, your website is your identity in the digital world. Care should be taken that it is not harmed in any way by anything, be it malware, viruses or hacks. MalCare will protect your website against all current and future threats. Get world-class security for as low as $8.25 per month! All the features mentioned above are available for free with any plan at no extra cost.
MalCare helps you in keeping your site safe from all the threats 24/7.
Springzo is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Springzo distils the wisdom gained from building plugins to solve security issues that admins face.