When cleaning websites, we regularly find phishing pages, malicious code injected into files, and SEO spam. However, over the past couple of months we’ve also noticed a considerable increase in the number of malicious plugins which have been added to compromised websites as well.
These plugins appear to be legitimate, but inspecting the code reveals that the plugin is not just an innocent plugin at all. The fake plugins are actually part of the attack—and in most cases used as a backdoor for the attacker to maintain access to the compromised website environment, even after the initial infection vector has been cleaned up.
Earlier this year, I wrote about another incident concerning a malicious plugin that was encrypting WordPress posts, but in that case the plugin was more of a tool to access the posts and encrypt them—not a backdoor as documented below.
Fake “wpframework” Plugin Installed on Hacked Sites
We recently discovered a number of compromised websites containing a plugin called “wpframework”. This plugin is being planted by bad actors to gain and maintain unauthorized access to the site environment.
The malicious file includes the following information in it’s header:
Plugin Name: WordPress Framework
Plugin URI: http://wordpress.org/#
Description: WordPress Framework
Author URI: http://wordpress.org