Many WordPress users, in the attempt to save some money, instead of purchasing plugins (or themes), they are searching for pirated versions of popular premium plugins and themes and use them instead.
Pirated plugins and themes
Most pirated plugins and themes include more than just a plugin or theme, they include hidden code that will infect the website as soon as the plugin or theme is activated.
Themes from popular theme developers studios and especially themes from ThemeForest and the main target for many websites illegally distributing software. Plugins like Gravity Forms, or Yoast SEO, plugins from CodeCanyon and even some free plugins, are very popular for illegal download too. And, many of my own plugins ended up with pirated versions.
In recent months I have seen increased number of reports that GD bbPress Toolbox Pro and GD Rating System Pro are available on various websites distributing pirated plugins and themes. There were hundreds of download links for different file hosts, some easy to download, some with some sort of click baits, many of them flagged by Google and anti-virus software.
If you wonder how premium plugins and themes end up being pirated, there are two usual ways for that:
- Pirates gain access by chance to the website that uses premium plugin or theme, they download it from there.
- In many cases, they purchase plugins or themes to gain access to download, usually with stolen credit cards, so the purchases get refunded, but the plugin or theme is already downloaded and ready for distribution.
How malware works?
To see what is being distributed, I have download GD bbPress Toolbox Pro from one of these websites. I have downloaded few other popular plugins, and they all contained similar malware.Prepared to what I might get, I tried installing the plugin on the isolated local server. As soon as I have activated the plugin, the website crashed. So, I have run the analysis to see what happened.
The malware code embedded in the plugin has created some new files, replaced some default files and modified functions.php in all themes that it has found. But, that is not all. The code finds the server root and searches for any other WordPress installation, and infects all of them!
The first step this malware takes is the creation of wp-cd.php file in the WordPress wp-includes folder, and modification to post.php to add a line to load the wp-cd.php. And, as soon as WordPress loads the post.php file, malicious code is executed. In some instances, load part of the code is added to several other WordPress files (canonical.php, taxonomy.php…). File wp-cd.php contains part base64 encoded PHP code and part normal code. When the wp-cd.php is executed, it will search WordPress themes folder for all themes, and in each theme, it finds functions.php file. At the beginning of this file, it will place decoded version of the base64 encoded PHP code, and it will restore last modification time for this file to cover up its activity.Once it does that for all themes, it will contact its host website (you can see the URL in the screenshot below, lines 42 and 43). Malware code sends installation data to that host so that owner of the malware code can use it to access your website (or maybe it is done automatically, that part doesn’t work on the localhost, only on live websites).
Once it does that for all themes, it will contact its host website (you can see the URL in the screenshot below, lines 42 and 43). Malware code sends installation data to that host so that owner of the malware code can use it to access your website (or maybe it is done automatically, that part doesn’t work on the localhost, only on live websites).
From this malicious host, the malware code downloads another piece of code that is used to completely replace WordPress core class-wp.php file. This code will effectively replace the loading logic WordPress uses to generate the page. In the end, wp-cd.php will change itself to remove delivery code, and it will disable all error reporting, masking any issues that malware might run into. And, once that code in class-wp.php is executed for the first time, it will create a new administrator user account with predefined password and username that will use later on.
As for the code in the functions.php theme file, this code is triggered by the HTTP request from the malware code owners and that code can do few things: it creates new database table where it stores its content, modifies content of all posts in the database to include some own code and links, and it can generate HTML displaying their own content instead of your website content.
All this code is very convoluted, encoded and hard to understand at times, but it also is written for the specific type of server configuration. It was created to use ‘mysql_escape_string’ function. This function belongs to old MySQL extension in PHP, and it is not used by every hosting. Depending on configuration many hosts have switched to PDO MySQL extension, but even with that, the old extension might be active too. If you run PHP 7.0, this extension is completely removed, so the malware code will not be completely effective. Still, it will make a mess of many things on your website.
How to clean it up?
This is the important part. How to remove this malware once it infects your website? Safest thing is to replace all WordPress files with clean files, delete wp-cd.php, check out all themes functions.php, and replace them with the clean file for each theme. And finally, remove pirated plugin or theme you used in the first place. But, if you run the older server setup, your database will be infected as well. Cleaning that might prove very hard, considering that each post you have will be modified by this malware. This malware was designed to infect older, less reliable hosting companies hosted websites that will not be quick to respond to the infection.
Other malware types
Many users are not experienced enough to recognize the malicious code. The example here is just one of hundreds of variations that are out there. Some will display ads, some replace your content and ask for ransom to unlock it, some will delete everything your website has, some will steal your users’ information. And, all these malware are ever evolving. I expect that in a few weeks this malware will work fine on PHP 7 with updated code. And it will do some more damage to your website, most likely.
Also, some malware can target specific plugins you might have (security plugins, file scanners), and disable them. So, even if you have security plugin that should detect file changes, it can be completely useless once the malware code has disabled it.
WordPress security and malware
WordPress is a very secure system. If you use some good security plugin to harden the security further, your website will be protected against all sorts of attacks. But, if you install malware yourself by installing pirated plugin or theme, then security systems are irrelevant because you have introduced malware yourself, you allowed it to modify WordPress and make it insecure. No matter how well website is protected, it can’t fight back if website owner deliberately adds malware code to it.
Even if you don’t know that plugin you have installed contains malware, you are to blame, because you have knowingly downloaded plugin from the suspicious website, and you have installed such plugin (or theme). And, all the security systems you have will fail due to the human factor.
How to protect your website?
There are few things you need to know:
- Use reliable hosting companies to host your website! They will always run latest server software, latest versions of PHP and MySQL and that will ensure that server specific exploits will not work.
- Update your website regularly! This will ensure that WordPress core is always secure and containing updates to fix potential security holes or other problems. WordPress development team is quick to fix any security issues and it is essential to run latest WordPress versions.
- Download WordPress from WordPress.org only! Never download WordPress from another website, you might end up with the website full of malware from the moment you install it.
- Download free plugins from WordPress.org only! There were few instances in the past where malicious users tried to distribute malware through WordPress.org plugins, but in general, WordPress.org is safe, and maintained by many dedicated developers that will react quickly to any malicious activity.
And since this article is related to malware in the pirated premium plugins and themes, this part is critical:
If you need a premium plugin or theme, buy it from the developer directly, and download it from developers website only! By buying the premium plugin or theme, depending on the developer, you get support, access to the knowledge base and other support resources, you get regular updates with new features and fixes. If you decide to save some money, and download pirated plugins and themes, you can end up loosing your website and your hard work, and you will maybe, end paying someone to clean up your website. And, if that happens you can only blame yourself.
Most premium plugins and themes are fair priced, and that price reflects hard work developers invest to make the plugin or theme and to support it.  I understand that the price might be high for some users, but, most developers offer discounts, especially around important holidays, and there is always a way to save some money and still get a full premium product. In the end, the price you pay will never be as high as the price you might end up paying by using pirated plugins and themes.
Thanks a ton mate. I just received an email from Wordfence that class.wp.php was infected. I checked my host and observed that all of my blogs had class.wp.php which had obfuscated code. I decoded it and came to know that it was inserting users into database. I then came across your post and I also removed wp-cd.php file from all my blogs. I then edited all post.php files and removed the code which was calling wp-cd.php. Could you please let me know what else should I do?
Thank you for sharing your experience. You need to remove whatever plugin (or theme) did this in the first place. Replace all WordPress files, check all themes for extra code and all plugins too, best to remove the and upload clean files. Remove users added by this malware. And, stop downloading pirated plugins, the price of the plugin is not worth getting your website destroyed.
Thanks for the quick response. I appreciate it.
Isn’t there an alternate way to scan all files on cpanel for “malicious code injector”? I have multiple blogs running on shared host.
How about the possibility of malicious code in database? If the db is hacked then how would I know which fields/tables need to be removed?
BTW I have created a ticket on hostgator support asking them to scan all the files and database for malicious code.
There are some security plugins that can do that, but they are usually checking only if files are changed in some way, and the process is not 100% reliable.
Alright. Thanks again for the article and your inputs.
MillaN, thank you so much for your article, helped me a lot and I clean my website. I will never use pirated plugins again – is like you said, you can be without money, but even so: “In the end, the price you pay will never be as high as the price you might end up paying by using pirated plugins and themes.” Fortunately, I payed for the theme and many plugins, but I got infectect by one, just one that I thought I could get for free. Now I learned.
By the way, I respect a lot the work of programmers and developers and I think everyone should receive for their hard work. Otherwise, it is not fair at all. Thank you again.
Thanks for the comments Ana! People usually don’t understand how much work it takes to make the plugin or a theme. And, there are markets that sell plugins for next to nothing and that changes users perspective on the price the plugins or themes should have.
Great explanation on how malware works in infecting your site and what to do about it. Having decent WordPress security processes in place can certainly save a lot of time wasted on avoidable problems.