article featured image


As the holiday season is approaching, more and more people to rush to finish their Christmas shopping without being aware of the fact that cybercriminals don’t take time off for the holidays.

What Is Happening?

Credit card skimmers are being inserted into random plugins on e-commerce WordPress sites, allowing them to remain undetected while collecting client payment information.

Injecting card skimmers into WordPress plugin files is the newest trend, avoiding the heavily watched ‘wp-admin’ and ‘wp-includes’ core folders, where most injections are short-lived.

The attackers know that most security plugins for WordPress contain some way to monitor the file integrity of core files (that is, the files in wp-admin and wp-includes directories). This makes any malware injected into these files very easy to spot even by less experienced website administrators. The next logical step for them would be to target plugin and theme files. This is not the first time we have seen this, but what was quite fascinating about this particular infection was the way that the code was written to appear entirely benign. It wasn’t until we broke apart the code using some more advanced methods that the payload was uncovered.


According to a new Sucuri investigation, credit card thieves first get into WordPress sites and insert a backdoor into the website for persistence.

These backdoors allow hackers to access the site even if the administrator installs the latest WordPress security updates and plugins.

As reported by BleepingComputer, the threat actors then inject their malicious code into random plugins, and many of the scripts are not even disguised, according to Sucuri.

However, when the researchers examined the code, they discovered that an image optimization plugin had references to WooCommerce as well as undefined variables.

How to Stay Safe?

Only certain IP addresses should be allowed to have access to the wp-admin area and any active server-side scanners should be used to check file integrity on the website, ensuring that no code modifications go undiscovered for long.

IT admins should also examine regularly the logs and delve deeply into the specifics as the file modifications, themes, and plugin upgrades.

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *