New WordPress Malware Fakes WordFence Active Protection

Security experts at Sucuri have identified a new variant of evasion malware targeting the WordFence security plugin on WordPress sites. This sophisticated malware hides its presence while creating backdoors for attackers.

The discovery was made during a routine investigation of a compromised WordPress site reported by a site administrator. Initially concerned about potential credit card theft malware, the administrator had removed the immediate threat. However, Sucuri’s deeper analysis uncovered a more insidious component: a malicious plugin designed to evade WordFence detection and disable its functionalities.

Malicious WordPress plugin

Malicious plugins are a common method for attackers to infiltrate WordPress sites, particularly those with compromised administrator accounts. These plugins can disguise themselves with generic names to blend into the environment.

In this instance, the suspicious plugin was named wp-engine-fast-action, despite the site not being hosted on WPEngine, and no legitimate plugin by that name existing.

WordFence, with over 5 million active installations, is a leading security solution for WordPress sites. Despite its robust features, including two-factor authentication and a firewall service, it is not infallible. The malicious wp-engine-fast-action plugin contained a script that obfuscated its true intent using base64 encoding, concatenation, and reversed strings. Once deobfuscated, it was clear that the plugin:

• Renamed the WordFence plugin directory to “wordfence1,” thereby disabling it.
• Created a new malicious admin user, license_admin2, or elevated the privileges of an existing user with that name.
• Served as a potential reinfection vector, ensuring continued access for the attackers even after initial malware removal.

To prevent detection, the attackers included additional files (main.js and style.css) within the plugin. The main.js file obfuscated JavaScript code to manipulate WordFence settings visually, making it appear as though security scans were active when they were not. The style.css file hid the presence of the bogus plugin and the malicious admin user from the WordPress dashboard.

“This code is fairly short but very sneaky in what it accomplishes: It gives the user the false impression that everything is enabled and working fine, even if the security scans are actually disabled,” explains Sucuri in the report

“The malicious code only works on pages of WordPress admin interface whose URL contains the word “Wordfence” in them (Wordfence plugin configuration pages).”

Mitigation advice

WordFence is a key security measure for WordPress sites, but users must ensure all its features are correctly configured and remain alert to potential vulnerabilities. Effective threat mitigation steps provided by Sucuri include:

• Using two-factor authentication (2FA): Enhance login security with an additional verification step.
• Securing wp-config.php: Implement security measures like disallow_file_edit and disallow_file_mods to prevent unauthorized modifications.
• Performing regular updates: Keep WordPress, themes, and plugins up-to-date to patch known vulnerabilities.
• Employing a website firewall: Protect against brute force attacks and block malicious bots.
• Implementing file integrity monitoring: Use external scanning solutions to detect unauthorized changes to website files.