New WordPress Malware Gives Attackers Admin Privileges

A sophisticated malware camouflaged as a legitimate caching plugin has been discovered compromising WordPress sites. Researchers from Wordfence uncovered this malware, which allows attackers to gain control of affected websites.

The initial discovery occurred during a routine site cleanup by Wordfence analysts on July 18, 2023. Within a day, a signature for the malware was developed and made available for production within two weeks after thorough testing. As of September 1, 2023, users of the free version of Wordfence received this signature, while Premium, Care, and Response users had firewall protection against the backdoor since October 9, 2023.

This rogue code exhibits a unique blend of functionalities:

• Stealth Features: Not only does the malware convincingly present itself as a caching tool, but it also excludes itself from the active plugins list, further evading detection.
• User Manipulation: The malware can create and use a user account named “superadmin” that offers full administrative rights. There’s also a function in the malware’s code to erase this account, diminishing any traces of its sinister activities.
• Redirect Site Visitors: Certain website visitors may be redirected to dubious sites containing scams or additional malware.
• Content Tampering: The malware can modify post and page content, including the insertion of malicious links. Notably, these changes are hidden from users with admin privileges, which prolongs the discovery of any compromise. The malware can also clean up any traces of malicious activity from the WordPress database.
• Plugin Management: Attackers can use the malware to remotely activate or deactivate any installed plugins. This flexibility allows them to disable undesired plugins and allows for the reactivation of their malevolent plugin as needed.

These combined functionalities provide attackers with a robust toolkit for remote site control and monetization, all at the expense of the compromised site's reputation and user privacy.

WordPress site owners are urged to maintain vigilance and ensure they only download plugins from the official platforms of trusted sources. Wordfence's layered protection approach, even for its free users, assures a significant defense against such advanced threats. However, given the ever-evolving nature of cyber threats, engaging in continuous monitoring and adopting best security practices remains crucial.