Three WordPress Plugin Removed Having Backdoor

Wordpress Image

As per Dan Moen from Wordfence in the last two weeks, the repository has closed three plugins because they contained content-injection backdoors. “Closing” a plugin means that it is no longer available for download from the repository, and will not show up in search results. Each of them had been purchased in the previous six months as part of the same supply chain attack, with the goal of injecting SEO spam into the sites running the plugins.

What We Know About these Plugins

Duplicate Page and Post

Active Installs: 50,000+
Current Owner: pluginsforwp (joined July 10, 2017)
Sold Date: August 2017
Removed from date: December 14, 2017

The Backdoor Code
This content injection backdoor first appeared in version 4.2.1 (released 4 months ago):

Backdoor Code Image

No Follow All External Links

Active Installs: 9,000+
Current Owner: gearpressstudio (joined March 17, 2017)
Sold Date: April 2017
Removed from date: December 19, 2017

The Backdoor Code
This content-injection backdoor first appeared in version 2.1.0 (released 8 months ago).

Backdoor Code1 Image

WP No External Links

Active Installs: 30,000+
Current Owner: steamerdevelopment (joined June 29, 2017)

The Backdoor Code
This content injection backdoor first appeared in version 4.2.1 (released 4 months ago).
Sold Date: July 12, 2017
Removed from date: December 22, 2017 (we’re assuming this based on the date of the last update note, from a member of the plugins team)

BackDoor Code2 Image

All the above backdoor’s makes a request to and will return content based on the URL and user agent passed in the query string. This code runs on every request to the site, so it can be used to inject content to normal site visitors, web crawlers, or the site administrators. We’ve seen content injection in the past, and it’s typically used to inject cloaked backlinks, a form of SEO spam. resolves to the same IP as,, the API endpoint used in all the three plugin backdoor.

Conclusion and Recommendations

As per Wordfence someone with the name or alias Daley Tias purchased WP No External Links and Duplicate Page and Post. The backdoor code for both plugins call an API endpoint hosted on the same IP. The same company, Orb Online, paid for both the No Follow External Links and Duplicate Page and Posts plugins. Additionally, the purchase solicitation for No Follow All External Links was written from the same template used to solicit the purchase of WP No External Links. All three plugins were purchased by a user that was created within a month of the purchase. Furthermore, the backdoor code used in all three plugins is very similar.

Based on this evidence, it seems that the same criminal actor was responsible purchasing and adding backdoors to all three of these plugins with the goal of injecting SEO spam into the thousands of websites running the plugins. It is not too much of a stretch to assume that Orb Online has been leveraging injected spam links to boost search engine rankings for their customers.

Supply chain attacks targeting WordPress plugins are becoming more and more popular. Wordfence lets you know when a plugin has been removed from the repository. As a site owner, it is incredibly important to stay on top of these, and treat removed (or closed) plugins with an abundance of caution.

If you have any of these plugins running on your site, we recommend that you remove them immediately and that you make sure that SEO spam hasn’t been injected into your site. Even though one of them, WP No External Links, has been updated to remove the backdoor, it has been closed, so it will never be updated again in the future.

If you liked this post, you might enjoy our newsletter. Receive new articles directly in your inbox:

Yes I agree to receive emails from Defenx Solution

Subscribe our Youtube Channel

1 thought on “Three WordPress Plugin Removed Having Backdoor”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Welcome to Defenx Solution

If you need any info or details please do connect with us through any medium below. We will try to get in touch with you as early as possible.

Contact Form

or reach me via these social channels

Contact Us