Sometimes, website owners do not want to have a website name and that they allow it to expire without attempting to renew it.
This happens all the time and is completely normal, but it’s important to recollect that attackers regularly monitor domain expirations and should target certain domains that meet specific criteria.
Vendor domains can be an easy backdoor
For whatever reason, a vendor may allow their domain’s registration to expire, which suggests it can become available for an attacker (or anyone else) to operate it.
We recently found that the exact scenario with the now defunct WordPress plugin visual website editor and its domain tidioelements.com, which was kindly reported to us by a website owner that encountered suspicious activity while using it.
The attacker’s strategy depends on the fact that some websites might still be having the plugin installed and activated, and continue to load resources and advantages from the expired domain.
The project idea was dropped and is no longer available for download in the WordPress repository. Nevertheless, attackers were able to take advantage of the expired domain to load the content, which highlights the importance of keeping all software up to date and remove any old plugins that are not actively used in your day to day time. Another important tip to harden your website is to only use resources from official, trusted and reputable sources.