Fake plugin wave affecting WordPress sites

Recently our colleague Joshua Goode escalated to the Security Research team an investigation he was performing on several websites that presented the same indicators of compromise. There were small variations in what the final payload was, but the attack timeline was always the same.

Attack timeline

As Joshua initially pointed out and subsequently confirmed by me, the chain starts with the installation of the core-stab plugin, followed by other additional items. The following timeline depicts one of the many compromised sites we reviewed:

  •  Jan 10, 2023 @ 17:29:49.587 UTC – Core stab plugin upload – /wp-admin/update.php?action=upload-plugin
  • Jan 10, 2023 @ 17:29:52.270 – /wp-content/plugins/core-stab/index.php
  • Jan 11, 2023 @ 02:12:50.773 – /wp-admin/theme-install.php?tab=upload
  • Jan 11, 2023 @ 02:12:57.862 – Classic theme upload –  /wp-content/themes/classic/inc/index.php
  • Jan 11, 2023 @ 03:37:58.870 – Another core-stab install
  • Jan 11, 2023 @ 04:15:06.014 – Installation of a new plugin, task-controller, /wp-content/plugins/task-controller/index.php
  • Jan 11, 2023 @ 08:23:26.519 – Installation of WP File Manager (Unsure if by attacker but this plugin is typical with a lot of malware)

The most common “coincidence” is that all users involved in this attack had their emails listed on at least one public password leak since 2019, which only corroborates the overall findings: the attacker(s) used compromised or leaked accounts to install the malware.

You can find more details on how the core-stab malware works, as well as detailed detection and blocking information for WP security experts, via WPScan.

Testing and validating our Proof-of-Concept for the malicious code.

What to do if my site was infected?

If you find the core-stab plugin installed on your site, the first thing you should do is remove it and then follow these next steps:

  • Change all admin user’s passwords and make sure you’re using multi-factor authentication.
  • Review all WordPress users and remove the ones you don’t recognize (especially the admin ones).
  • Review for unused or unknown themes and plugins and remove anything unnecessary or unknown.
  • Reinstall all your plugins since they may have been compromised.
  • Review your theme for added or changed files that weren’t added or changed with your consent.
  • Reinstall WordPress core files.

Finally, at Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. The Jetpack Security bundle is one great WordPress security option to ensure your site and visitors are safe. This product includes real-time malware scanning, site backups, comment and form spam protection from Akismet, brute force attack protection, and more.

Posted in scan, Security, Vulnerabilities | Tagged | Comments Off on Fake plugin wave affecting WordPress sites

How to Access and Edit the Default WordPress .htaccess File

Every WordPress installation has a selection of “core” files. These are the files behind critical functionality, and one of them is .htaccess. It includes configuration options for your web server. In other words, it’s extremely important.

If you know how to find and edit .htaccess, you can change your site’s permalink structure, set up redirects, increase security for the dashboard, and make many more tweaks. You don’t even need to know how to code if you follow instructions carefully.

In this article, we’ll talk about the .htaccess file and how it works. We’ll show you how to locate, access, and edit the file. Finally, we’ll wrap up with some frequently asked questions.

Continue reading → How to Access and Edit the Default WordPress .htaccess File

Posted in Security | Comments Off on How to Access and Edit the Default WordPress .htaccess File

How to Recover and Restore Your WordPress Site after a Crash

WordPress is an excellent platform for your website. But that doesn’t mean that it’s invincible. If you’re working on your site and encounter a sudden glitch, freeze, or crash, it’s easy to enter panic mode.

Fortunately, there are ways to recover and restore your WordPress site after a crash. Whether you installed a poorly-coded plugin or accidentally deleted a file, you can get your site up and running again by following the right steps.

In this post, we’ll take a closer look at WordPress website crashes and some common causes. Then, we’ll guide you through five steps to recover and restore your site after a crash. Let’s get started!

Continue reading → How to Recover and Restore Your WordPress Site after a Crash

Posted in Security | Comments Off on How to Recover and Restore Your WordPress Site after a Crash

6 Best WordPress Malware Removal Plugins (Paid & Free)

Your WordPress website is the product of countless hours of hard work, so it’s important to keep it secure. One essential part of your security setup should be a robust and reliable malware scanner. An effective WordPress malware plugin will help you quickly identify any malicious software that makes its way onto your WordPress website, and provide guidance on removing it. 

But, with lots of different WordPress malware scanner plugins available, it may be a challenge to determine which one is right for you. To help, we’ve reviewed six of the most popular options and set out some key things to consider when deciding on the best WordPress malware scanner for your website. 

Continue reading → 6 Best WordPress Malware Removal Plugins (Paid & Free)

Posted in Security | Comments Off on 6 Best WordPress Malware Removal Plugins (Paid & Free)

How to Update Your WordPress Theme (Without Losing Anything)

Although WordPress themes are typically well-coded, they need regular updates to patch security vulnerabilities and introduce new features. But if you’ve made a lot of customizations to your theme, you might worry that updating it will cause you to lose all of your hard work.

Fortunately, there are a few easy ways to update your WordPress theme without losing anything. Backing up your site, using a child theme, and testing any changes in a staging environment can help you preserve your settings. Then, you can easily update the theme from your WordPress dashboard, cPanel, or using File Transfer Protocol (FTP).

In today’s guide, we’ll explore the importance of updating your WordPress theme. Then, we’ll explain the best methods to do this while maintaining any theme customizations. Let’s get to work!

Continue reading → How to Update Your WordPress Theme (Without Losing Anything)

Posted in Security | Comments Off on How to Update Your WordPress Theme (Without Losing Anything)

WordPress Revisions: How to Use, Optimize, Limit, & Delete Them

When you’re working on a page or post in WordPress, you’ll likely go through several versions or “revisions.” WordPress revisions are the drafts of content you create using the editor. The revisions system works in the background to ensure that you always have previous versions of your work on hand. 

In this article, we’ll outline everything you need to know about WordPress post revisions. We’ll discuss how they work, where you can find them, and how to use them.

Continue reading → WordPress Revisions: How to Use, Optimize, Limit, & Delete Them

Posted in Security | Comments Off on WordPress Revisions: How to Use, Optimize, Limit, & Delete Them

How to Deactivate a Plugin Without Access to WP-Admin

Sometimes, a plugin can cause a fatal or critical error in WordPress that results in loss of access to a site’s web pages or WP Admin area. When a fatal error occurs on a WordPress site, it’s usually due to a bug in a plugin or theme’s code that causes the site’s server to become stuck and unable to respond to requests.

Continue reading → How to Deactivate a Plugin Without Access to WP-Admin

Posted in Security, Tips & Tricks | Comments Off on How to Deactivate a Plugin Without Access to WP-Admin

Guide to WordPress Uptime Monitoring (+3 Best Plugins)

Your WordPress website’s availability is crucial to its success. If it’s down often, you’re going to miss out on new visitors and probably push away existing supporters as well. To make sure this isn’t happening, you’ll need a reliable way to oversee your page performance.

Luckily, there are plugins and services that can monitor your WordPress website and alert you to any issues that may arise. By keeping track of your site’s uptime, you’ll have a better idea of how it’s performing. That way, you can catch any issues and take action to address them. 

In this post, we’ll discuss what uptime monitoring in WordPress is and some reasons downtime occurs. Then, we’ll talk about how to track uptime and suggest some plugins and tools you can use to do so. 

Continue reading → Guide to WordPress Uptime Monitoring (+3 Best Plugins)

Posted in Security | Comments Off on Guide to WordPress Uptime Monitoring (+3 Best Plugins)

How to Track & Log User Activity in WordPress + 6 Best Plugins

If you have a WordPress website, you might want to be able to track the activity that happens on it. By tracing every single modification on your site (and who completes it), you’ll be better equipped to resolve any problems that may arise.

Fortunately, you can use a WordPress plugin to track user activity on your site. There are many tools available that enable you to monitor changes made to your content. 

In this post, we’ll discuss why tracking user activity is important and what kinds of actions to prioritize. Then, we’ll explain how to track and log user activity in WordPress, and list six plugins that get the job done.

Continue reading → How to Track & Log User Activity in WordPress + 6 Best Plugins

Posted in Security | Comments Off on How to Track & Log User Activity in WordPress + 6 Best Plugins

How to Back Up WooCommerce (Orders, Products, Database)

There’s a lot of work that goes into building and maintaining an online store. Therefore, it’s important to make sure that you know how to back up your WooCommerce store to avoid losing critical data, like your orders, products, and database.

The good news is that there are multiple solutions you can use for backing up WooCommerce. The best option will depend on a handful of factors, like whether you want to use a plugin and the type of backups you want to create. 

In this post, we’ll discuss the importance of backing up your WooCommerce store and how often you should do it. Then, we’ll walk you through the methods you can use to back up your store and restore it. Finally, we’ll answer some common questions about this process. 

Continue reading → How to Back Up WooCommerce (Orders, Products, Database)

Posted in Ecommerce, Security | Comments Off on How to Back Up WooCommerce (Orders, Products, Database)
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 111,350 other subscribers
  • Browse by Topic