Is it possible to write a virus in a form of a WordPress plugin/theme?
Is it possible to:
- steal user data?
- damage existing WordPress installation?
- (optionally) self-spread the virus?
Are there any existing cases of this kind of viruses?
Is it possible to write a virus in a form of a WordPress plugin/theme?
Is it possible to:
Are there any existing cases of this kind of viruses?
You must be logged in to post a comment.
When you write PHP code, you can do just about anything. So when you run the code of a plugin it can do just about anything as well.
Depending on your server setup, a plugin can take over your server. If you allow it, to download files that it can execute, it would be able to download any code, that it would be able to run in your server. If the user running the code has enough privileges, it can do stuff like changing the password effectively shutting you out of the server.
But all of this, will be easy to spot, so if a lot of people are using it, you should be safe to download and use it, since expert PHP developers, would have found out about it.
So short answer is, yes almost anything is possible, but the dangers are not that great. If you use popular pluings.
I think a bigger danger, would be that the plugin is poorly written, and will accidentally create a security risk, like not validating user provided data etc.
Yes. Yes. Yes.
All of these are not only possible, but also easily encountered in the wild. There had been whole waves of self-spreading WordPress malware for some older insecure versions.
Everything WordPress has access to – any theme or plugin has access as well. Stealing or ruining data is trivial for code running as WP extensions.