Tag: malware

Security, Tutorials, WordPress

The ‘fake plugin’ WordPress malware family: how to spot random-named directories in bulk

| by admin | Leave a Comment on The ‘fake plugin’ WordPress malware family: how to spot random-named directories in bulk
A row of blue and orange CASSA-brand office binders neatly stacked on a shelf — visual metaphor for plugin directories that look identical on the outside but may contain very different things inside (photo: zulfugarkarimov / Pexels)

One of the most common WordPress malware patterns I’ve cleaned in the last two years isn’t a webshell or a credential stealer — it’s a “fake plugin” or “fake theme.” The attacker creates a directory in wp-content/plugins/ or wp-content/themes/ with …

Continue reading "The ‘fake plugin’ WordPress malware family: how to spot random-named directories in bulk"
Security, Tutorials, WordPress

The .hph extension trick: how WordPress malware survives cleanups by shadowing .php files

| by admin | Leave a Comment on The .hph extension trick: how WordPress malware survives cleanups by shadowing .php files
Four nearly identical white binders standing in a wooden box, suggesting how easy it is to overlook a slightly differently-named file in a directory listing (photo: Mateusz Dach / Pexels)

You clean a WordPress malware infection. You find every .php file with the suspicious signature, quarantine it, restore from backup, harden the site. Three weeks later the same backdoor is back. Same filename, same content, same behavior. You’re sure you …

Continue reading "The .hph extension trick: how WordPress malware survives cleanups by shadowing .php files"
Security, Tutorials, WordPress

Detecting and cleaning the DOLLY WordPress mu-plugin backdoor

| by admin | Leave a Comment on Detecting and cleaning the DOLLY WordPress mu-plugin backdoor
Hooded figure with neon mask holding tablet displaying 'Uploading Virus' progress bar — visualizing the DOLLY WordPress mu-plugin backdoor exfiltrating credentials

Last week I cleaned a six-site WordPress compromise on one of my OpenLiteSpeed boxes. The most interesting payload was the “DOLLY” mu-plugin family — a credential-harvesting backdoor that hides itself with a few clever tricks and survives most casual cleanups …

Continue reading "Detecting and cleaning the DOLLY WordPress mu-plugin backdoor"