A new strain of malware has been discovered that poses as a legitimate WordPress caching plugin. This sophisticated backdoor enables threat actors to create administrator accounts for compromised websites, granting them complete control [1].


The malware is capable of remotely activating and deactivating plugins, modifying content [4], injecting spam links [4], and redirecting site visitors [4]. It cleverly disguises itself as a caching tool to avoid detection and can manipulate plugins [2], hide from active plugins [2] [3] [5], change content [2] [5], and redirect users to harmful sites [2]. It is designed to appear professional and includes various functions to avoid detection [4], such as excluding itself from the list of active plugins [3] [5]. This makes it difficult to detect [4], especially for inexperienced users [1]. The backdoor gives attackers full control over a victim’s site [4], compromising SEO rankings and user privacy [4] [5]. The initial access vector for the malware is still unknown [5]. Wordfence analysts discovered this malware in July and promptly released a signature to their customers in September [1]. Defiant [3] [5], the makers of the Wordfence security plugin [3], have also released a detection signature and firewall rule to protect users [3] [5]. They recommend using strong credentials [5], keeping plugins up to date [3] [5], and removing unused add-ons and users to prevent infection.


This new strain of malware poses a significant threat to website security. Its ability to disguise itself as a legitimate plugin and its sophisticated functions make it challenging to detect and mitigate. The impact of an infection can be severe, compromising SEO rankings and user privacy [4] [5]. However, there are measures that can be taken to protect against this malware. Using strong credentials [5], regularly updating plugins, and removing unused add-ons and users can help prevent infection. It is crucial for website owners and administrators to stay vigilant and take proactive steps to safeguard their websites from this and other potential threats in the future.


[1] https://www.darkreading.com/endpoint/backdoor-lurks-behind-wordpress-caching-plugin-to-hijack-websites
[2] https://www.blackhatethicalhacking.com/news/malware-poses-as-wordpress-caching-plugin-to-hijack-websites/
[3] https://nsaneforums.com/news/security-privacy-news/new-wordpress-backdoor-creates-rogue-admin-to-hijack-websites-r19304/
[4] https://thehackernews.com/2023/10/researchers-uncover-malware-posing-as.html
[5] https://www.redpacketsecurity.com/new-wordpress-backdoor-creates-rogue-admin-to-hijack-websites/