Backdoor Lurks Behind WordPress Caching Plug-in to Hijack Websites

Sophisticated malware capable of creating an administration account for a website is lurking behind an authentic-looking WordPress caching plug-in, giving threat actors a way to completely hijack infected websites at will.

Researchers from Wordfence discovered the plug-in, which can perform a variety of malicious tasks while masquerading as legitimate add-on software for the WordPress platform, they revealed in a blog post Oct. 11. Chief among this activity is the ability to create an admin account and remotely activate plug-ins — basically giving threat actors free rein over infected sites.

The backdoor can work both as a standalone script and also as a plug-in, with features like remote plug-in activation and conditional content filtering that give it evasion capabilities difficult for inexperienced users to detect.

Other capabilities include the ability to add filters to prevent the malware from being included in the list of activated plug-ins, pinging functionality that allows a malicious actor to check if the script is still operational, and file-modification capabilities. Further, the backdoor can activate or deactivate arbitrary plug-ins remotely, which is "useful to disable unwanted plug-ins and also to activate this malicious plug-in as needed," Wotschka wrote.

"Since the malicious file runs as a plug-in within the context of WordPress, it does have access to normal WordPress functionality just like other plug-ins do," Wordfence vulnerability researcher Marco Wotschka wrote in the post. "Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site’s own SEO rankings and user privacy."

A Wordfence analyst discovered a sample of the malware during a site clean on July 18, and created a signature the following day, which was subsequently tested and released to Wordfence customers on Sept. 1.

Malicious Plug-in: A Hidden but Detectable Malware Enemy

The researchers broke down some of the key functionality of the malicious plug-in, including features that are most likely to arise suspicion among current site administrators or users.

One of those is to use wp_create_user function to create a new user account with the username superadminand a hardcoded password to set up an attacker as a website administrator. This account is removed once a victim has been successfully compromised as a way to remove traces and thus reduce changes of detection, according to Wordfence.

"While often seen in test code, user creation with hardcoded passwords should be considered a red flag, and the elevation of this user to an administrator is certainly reason enough for suspicion," Wotschka wrote.

The malicious plug-in also includes bot detection code, which is often present in malware on a website that serves normal content to some users while redirecting or presenting malicious content to others.

"One common thread shared by these infection scenarios is that site owners find their site looks fine to them, but their visitors have reported issues such as seeing spam or being redirected to dubious sites," Wotschka explained.

Further, since this kind of malware wants search engines to find the malicious content, it is usually served to them as they index a site, he said. Threat actors use keyword stuffing to help increase traffic sent to infected sites, with administrators often reporting a sudden, unexpected surge in site traffic when their sites are hit by an infection.

While the presence of bot detection code on its own is not enough to verify that malicious activity is present on a website, it does stand out as suspicious activity, Wotschka added.

Securing WordPress Sites

Plug-ins remain an exposed and sizeable attack surface for WordPress and the millions of sites built on it, an endemic issue that remains a persistent threat. Threat actors have targeted WordPress sites via both malicious and vulnerable plug-ins, with both issues often going unnoticed by site operators until after a website is already under active attack.

Overall, anyone building websites using WordPress should follow security best practices in how they configure the sites to ensure they remain as protected as possible. Wordfence advised that they should also include some type of security monitoring on the site in case of compromise even after following these practices.