This can be done by tricking website owners into installing a backdoor hidden in pirated website software, such as premium third-party components in the form of a WordPress theme or plugin, a Magento extension, etc.
Also Read KingComposer WordPress Plugin Has a Reflected XSS Bug
The Risk of Pirated WordPress Plugins and Themes
According to Sucuri security researchers, using cracked (also known as nulled or pirated) software should be a concern to website owners:
Since these types of software usually require a fee to use or install, providers offer nulled or cracked versions that are “free” to download. What users might not realize is that “free” might come with a security price tag, and bad actors might be inclined to include a few malicious files or code snippets in a pirated version.
Of course, not all nulled cracked software hides backdoors, but it can be a great opportunity for hackers to drop their backdoors. Backdoors can be very difficult to detect. That is why Sucuri researchers are warning about the potential dangers of remote access in premium plugins and themes.
One example of a provider of pirated premium plugins and themes is found at thewordpressclub[.]org. The Terms and Conditions of the provider mentions a section about Remote Access:
By downloading any file from https://www.thewordpressclub.org and install it on your WordPress website, you allow TheWordpressClub to remotely control your website and so :
• to modify the source code
• to create and/or modify all post types content (posts, pages, products…)
As pointed out by the security researchers, “remote access for this provider is accomplished through two files which are bundled within the nulled software download”:
rms-script-ini.php is described as a malicious script which is responsible for initializing specific functions, such as creating a backdoor located at ./wp-contents/mu-plugins/rms_unique_wp_mu_pl_fl_nm.php.
Furthermore, this script is also capable of granting administrative access to hackers. The script checks for existing WordPress users using the get_users() parameter; then, it performs queries for users with administrator role privileges. Finally, it sets the wp-admin cookie to authenticate administrative access for whichever user it identifies, Sucuri says.
Also Read How To Test Your WordPress Site Security
How to avoid the risk of backdoors
Unfortunately, deleting the pirated WordPress plugins in wp-admin will not be enough, as threat actors often include other features to evade detection or hide indicators of compromise. One way to do this is by manipulating the CSS display of the wp-admin interface so that the website owner will not be able to see posts created on their own WordPress website.
The best mitigation against these risks is simply avoiding such providers. The most secure place to get plugins is the official WordPress repository, Sucuri concludes.