A malicious WordPress plugin has been used by hackers to install backdoor to approximately 2,00,000 websites, reports IT security firm Wordfence. The plugin named Display Widgets, allows its authors to upload spam to the infected website.

The malicious plugin, though removed from WordPress, has reappeared time and again until it was permanently removed on September 8 by Wordfence.

Once installed, the plugin allowed the hackers to write whatever they wanted without the knowledge of the infected site owner. In fact it did not let the logged in user or site owner to view the spam content.

Advising the site owners on the plugin, the CEO of Wordfence Mark Maunder said, “If you have a plugin called Display Widgets on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor”.

Wordfence mentioned about that details of WordPress’ long battle to remove the Display Widget. The plugin was developed as an open-source plugin, which was sold by its developer on June 21. Promptly the new owner launched an updated version, 2.6.0. The next day WordPress was informed by David Law, a UK based SEO consultant that the widget had started installing additional code and then began downloading data from Law’s on a server.

The WordPress team removed Display Widget on June 23. On June 30 a newer version 2.6.1 of the plugin emerged. It contained a malware code – geolocation.php. This allowed the hackers to post content to any URL they liked on the infected site.

Wordfence noted that each time the plugin was removed it issued a “Critical Alert” to warn users. After its permanent removal, the ownership of the plugin now rests with a service named WP Devs, that buys old and abandoned plugins.