While most of the website development we do is completed using the Joomla CMS, we have several clients that prefer WordPress. As such, we keep a watchful eye for any WordPress news that may be of interest. We have noticed several posts from other authors in recent weeks highlighting a significant vulnerability that has been discovered in a WordPress 3rd-party plugin.
Both Sophos (https://nakedsecurity.sophos.com/2020/04/29/flaw-in-defunct-wordpress-plugin-exploited-to-create-backdoor/) and Tech Radar (https://www.techradar.com/nz/news/thousands-of-wordpress-sites-redirecting-users-to-dangerous-domains) have highlighted the significant vulnerability exposed by the OneTone plugin. It is estimated that over 900,000 WordPress sites have been targeted in this attack which is designed to insert "backdoors" into vulnerable websites and redirect users to malicious websites.
Sadly, as development of the OneTone plugin seems to have halted, there is very little likelihood that the vulnerability will be plugged. The following quote from Tech Radar is the best advise we can give: -
If your site uses any of these plugins or themes, it is highly recommended that you update them immediately and remove any that are no longer in the official WordPress repository.
If you are unsure how to go about updating your WordPress site, or simply need reassurance that your site is as secure as possible, please give us a call.