I was Offered $5k/month to Hack WordPress Sites

I have been doing this development thing for over 15 years now. I have written two books about WordPress. I have chalked up some war stories of manic clients and epic bugs vanquished, but nothing was as crazy as the time I was offered $5,000 a month to hack WordPress sites by distributing and maintaining vulnerable plugins. How exactly this unfolded is the subject of this article.

There are a couple things I had already learned by the time I was propositioned. One is that WordPress is a trash-heap of sophomoric development ideas and the developers who love it are like so many seagulls and foxes that scavenge off of its smelly detritus. Yeah, I know, that’s some heavy-handed criticism right there, but let’s just skip to the heart of the matter: do you really want to stick your flag in that and claim allegiance? WordPress is a complex and poorly-documented chain of “actions” and “filters” with a deep reliance on loosely-scoped variables with no logs. How do you test that? What poor workarounds are required to develop and deploy it in multiple environments? The savage roast of its shortcomings deserves its own post, but let’s just say that any non-biased observer with any real engineering experience would quickly conclude that the workflows for development mandated by WordPress are not normal and lead to substandard results. Sure, sometimes we must hold our nose and “take out the trash”, but let’s not lie to ourselves and say it smells like roses or represents some paragon of excellence.

The second thing I had learned from working on WordPress sites is how tempting a target it is. Its signature is unmistakable. Even without an analyzer like builtwith.com, it takes only a few clicks to determine that a site is running WordPress. A few more clicks will tell you what version and which plugins it is running. The security lapses are baked in. Not only does the technology broadcast itself loudly, like the vast garbage patches choking our oceans or our landfills visible from space, WordPress is everywhere.

The owner of a WordPress site must take it upon themselves to update their plugins, themes, and WordPress itself. This task must be done diligently and on a regular basis, otherwise vulnerabilities can be exploited. My observations over the years was that clients shirked this responsibility: they didn’t want to pay a retainer to have someone else do it for them either. More often than not they would try to cut even more corners by choosing a cheap host, invariably some cookie-cutter shared hosting environment running cPanel (which has its own security lapses to worry about). I watched as these neglected sites got drafted into the armies of darkness by networks of hackers and their bots.

Hacked WordPress sites turn up in other scandals too. Remember the Panama Papers? Like the Paradise Papers that followed, they detail how the wealthy elite are hiding vast sums of money in offshore entities so they can consistently avoid paying their share of taxes. That’s worth another article or two, but the extremely likely source of that leak was an out-of-date WordPress plugin.

There are other ways that WordPress sites are exploited to turn them into attack vectors, too. Automated bots can sign up for accounts using a victim’s email address and overload a target’s email account or its mail server. Pingback attacks can trigger a DDoS attack on any target. These weaknesses are usually considered “features”, not bugs, and the dark web smiles its crooked smile.

Let’s not forget that WordPress is a terrible place to be for a developer. Not only are you coding blindfolded with one hand tied behind your back, you are competing with hundreds of thousands of other would-be developers from around the world on any potential project. It’s a race to the bottom that you are sure to lose.

Further exacerbating the problem are clients who possess zero ability to evaluate the quality of any code submitted to them. I can’t tell you how many times I was brought in to “fix” some irritating problem that a company’s “offshore team” had been unable to solve. Invariably, when I would look at their code, it would be straight out of the trash-heap. Some of the errors were quite serious. Often the project was unsalvageable. When confronted with the errors, the overseas developers would scuttle away like cockroaches, leaving emails unanswered and Skype accounts abandoned. It repeatedly brought to mind the saying: “If you think it’s expensive to hire a professional, wait until you hire an amateur!”

To say that I was disillusioned with WordPress by that point would be an understatement. Even though I had a couple books and plugins under my belt (one of which was reasonably popular), virtually none of that had translated into any paying work. But the emails and support requests from users kept coming. I wanted out. It could have been a full-time job for no pay just keeping up with the tweaks and correspondence.

I advertised on eLance (now Upwork) for a WordPress developer to take this load off my hands. Within 24 hours I had received over 100 applications. I had asked for a code sample with each application. And most of them were absolutely terrible. Some of these applicants represented “professional” development companies with recognizable clients, and their “résumé quality” code contained egregious security flaws or was just plain amateurish. Only two applications were remotely acceptable, but they did not pan out.

So when I was approached by someone to outright buy my plugin, I was receptive to the idea. It seemed like I could finally escape the stench of the trash heap. Via Skype, I walked him through the plugin’s structure, its documentation, and how to make basic changes. We agreed on a price and an hourly rate for any support he would need after the initial purchase. His PayPal payment came through, and I breathed a sigh of relief.

Within a couple days, however, my inbox had exploded. My voicemail had messages. The guy who I had sold the plugin to had added a backdoor and stole admin credentials from any site running it. I was horrified. Then I saw that he had opened a PayPal dispute that effectively reversed the payment he had made. So now I had lost everything I had invested in the plugin: my time, my reputation, and even the pittance of a payment.

WordPress.org quickly shut down the plugin and his developer account (wooranker) was suspended — perhaps the only wise thing I did here was to force him to use his own WordPress username to make the edits so it was abundantly clear who was responsible.

When I confronted him about it, the conversation quickly got weird. He seemed to think that I was the one who had shut down his account and that somehow, I could turn it back on. And he kept talking about money and promising me monthly payments in return if I could help him out. “please do tell me your average salary… (per month). please don’t mind bro, tel me.”

I kept my cool for a while, trying to figure out what the hell he was on about. I honestly wondered if he was high. “you will be getting 5000$ every month. (in any form you wish). i’ll make sure to limit your work to 10–15 hours a week. (it will hardly be 2 hours a week). -but just to make sure you won’t shout on me later ;) (y) kidding.” This coming from a guy who was actively screwing me over for a few hundred dollars. Riiiiiight.

Here I was chatting with a script kiddie committed to a life of cybercrime. He had a name: Vishnudath Mangilipudi. His address was listed as

Plot No LIG55
Bapuji Nagar
Kavali, Andhra Pradesh
524201
India

During the dizzying Skype discussion that followed, he revealed how he made money off of this scam. He would buy legitimate WordPress plugins and then introduce backdoors in them. “all you need to do is set a small glitch in the plugin, and make sure other blackhaters [sic] won’t find it.” This kid was fronting for some shadowy “client” of his who supposedly made money from ads on the sites. “i just resell it to him. and pay the half of the profit i got to my original plugin owner. thats what i actually do.”

I was a fool for selling my plugin to a guy like this — I regret pretty much every experience I have ever had with WordPress, but this one above all. In retrospect, there were plenty of red flags: he seemed conspicuously bad at coding, and although he said he wanted to work on updating WordPress plugins, had never used Subversion (SVN) before. He had really wanted me to make the changes instead of him.

He actually believed he was helping make sites more secure by hacking them. He cited an article on Forbes as “proof” of his benevolent good intentions. In reality, I’m sure that the efforts to keep the sites “clean” was just good business: all he wanted to do was ensure that some other gang of hackers didn’t recruit the site into their zombie army.

In the end, I was never compensated for my time and he walked away without punishment. I contacted PayPal, the authorities in India, even the FBI. Nobody responded. This was just business as usual I suppose. If I could do it over again, I would have just deleted the plugin or not have written it at all. I haven’t touched a WordPress site since. It is not worth the trouble.