This was a little unusual, as most attacks on eCommerce websites involve appending code at the end of a file which is more effective for them but also easier to find. They had also gone to some trouble to cover their tracks by clearing cache after the attack.
What gave the attack away most was an additional PHP file that loaded the malicious code.
How the attackers actually got access to the WooCommerce plugin files was not know and most likely was a vulnerability in WordPress or WooCommerce.
This attack is a reminder to all eCommerce websites that you must protect your website with some of the following recommendations:
- All WordPress, WooCommerce and plugins are kept up to date
- Strong password security for administrators with a two-factor authentication login
- Security plugin like WordFence is also recommended
- Disable direct file editing for wp-admin by adding the following line to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );