WP Mobile Detector Vulnerability Affects Thousands Of WordPress Sites

Earlier this week I had the task of cleaning up a hacked site. The particular issue with the site was found when visiting the website from Google search results, as the visitor would be redirected to a more-or-less random website of questionable morals, including pornography websites, affair sites such as Ashley Madison and scam sites. When accessing the compromised website directly by typing the URL into the address bar, the site was reached as normal. These kinds of hacks can be difficult to detect for site owners, but leaves potential customers exposed.

The cause of this issue was a vulnerable plugin WP Mobile Detector, which loads a mobile friendly site for mobile visitors for themes that are not responsive. A few days after cleaning the hack, Sucuri disclosed their analysis of the exploit.

The plugin has now been updated and it is safe to use version 3.6 and above.

In this particular instance the plugin wasn’t even active, just laying dormant on the website. This emphasises how important it is to delete any unused plugins, as they can still be executed even when not active. You can read more at WordPress Housekeeping. This is also a reminder to developers to make sure cannot be executed outside of the WordPress environment.

If you wish to see how widespread the issue is, look at the Google search results:¬† The majority of the results you’ll find are websites that have been compromised.

If you discover vulnerabilities with other WordPress plugins, please remember to practice responsible disclosure.

Have you been affected and need your website cleaned up? Get in touch ASAP.

In this day and age, there shouldn’t really be any need for plugins such as these for most websites. Responsive website design is the best way to cater to visitors of all different screen sizes and devices. If you are unsure of the necessity of a responsive website, read this post by Jason Resnick on The Importance of Mobile & Responsive Design.

Did you find this post useful?