WordPress sites targeted by novel plugin-spoofing backdoor

BleepingComputer reports that WordPress sites could be taken over by a new backdoor masquerading as a legitimate caching plugin. Aside from enabling the creation of a "superadmin" user with admin-level permissions and eventual user removal to conceal infection, the plugin-spoofing malware also facilitated bot detection to monitor site traffic spikes and replacement of content, including posts, links, and buttons, in targeted websites, according to a report from Defiant, which is behind the Wordfence plugin for WordPress. Attackers could also leverage the malware to allow remote plugin activation and deactivation, as well as remote invocation of other functions, researchers reported. "Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site's own SEO rankings and user privacy," said researchers. The new backdoor's emergence has prompted Defiant to update its free Wordfence plugin to include a detection signature, as well as introduce a firewall rule for its Care, Premium, and Response offerings.