I got a few email alerts from Word­fence about mali­cious scripts on this site. Turns out one of the plu­g­ins installed here had ben sold on and was inject­ing javascript onto every page.

Crit­i­cal Problems:

* File con­tains sus­pect­ed mal­ware URL: wp-content/plugins/widget-logic/WidgetLogicAdminConfig.php

The mali­cious URL matched

This was an alert that I saw whilst scan­ning my inbox, and also whilst look­ing at Word­fence scans on this blog after leav­ing it alone for so long. It seems that the Wid­get log­ic plu­g­in, once which I have used on this site and many cus­tom ones I built back in my free­lance days (many years ago now) had been tak­en over last year, and with new releas­es which I have set to auto update here was inject­ed javascript into every page.

Wid­get log­ic was one of those util­i­ty plu­g­ins that allowed a Word­Press admin to set rules for when cer­tain wid­gets would be dis­played in side­bars, sim­i­lar to con­di­tion plu­g­ins in Dru­pal blocks. It became a sta­ble of mine, and many oth­ers Word­Press sites as it was a handy util­i­ty that would oth­er­wise be han­dled in cus­tom code. 

With 3 mil­lion down­loads, this looks like it became a take over tar­get. A new release was made in August 2024 by seem­ing­ly new own­ers, and that con­tained the embed­ded javascript. Austin Gin­der reports on how he dis­cov­ered the wid­get log­ic takeover on Anchor:

The domain widgetlogic.org was reg­is­tered on June 6, 2024. Exact­ly two months before ver­sion 6.0.0 appeared. The new own­er replaced the orig­i­nal sin­gle-file plu­g­in with a mul­ti-file struc­ture that includes a “Live Match Wid­get” and a con­fig file point­ing to their domain.

He then report­ed this to WordPress.org, and since April 14th 2026, the Wid­get log­ic plu­g­in has been closed.

This high­lights an ongo­ing prob­lem with free / open source plu­g­ins, exten­sions and oth­er soft­ware. As devel­op­ers pri­or­i­ties change, and the need for them to earn a liv­ing, fre­quent­ly they get bought up. Because most sites will have auto updates switched on, as that is good prac­tice to keep up to date with secu­ri­ty updates, the sites then become vul­ner­a­ble to the new own­ers inten­tions. In this case, inject­ing javascript wid­get into the page.

It rais­es the chal­lenge for me on the future of this blog. I’ve since removed the wid­get log­ic plu­g­in. I could have pre­vent­ed the javascript injec­tion with a con­tent secu­ri­ty pol­i­cy, and that’s some­thing I’ll be inves­ti­gat­ing. This blog site updates have large­ly been on auto pilot, so for now I’ll also mon­i­tor updates a lit­tle more care­ful­ly. This blog’s pur­pose, aside form being my tech blog site, was to be a win­dow into Word­Press world whilst I’m most­ly in Dru­pal space. I kind of need some­thing sim­pler so I’ll have to see what my options are.

Fea­tured Image : Pho­to by FlyD on Unsplash