Bogus “wordfence” plugin installed
-
I just wanted to alert WordPress and other users that I believe hackers are currently implementing a very clever hack.
Today, I got four automated e-mails from each of my sites’ Wordfence Security plugin saying that the administrator user has disabled Wordfence. Logging in to each site, I noticed an all-lowercase plugin called “wordpress” that was disabled. I enabled it on one of my sites, the plugin seemed to “disappear” from the site. I should have listened to my instinct that said something was wrong with the way the plugin appeared (it should be “Wordfence Security” with capital letters, not “wordfence” all lowercase). As it turns out, this was not actually Wordfence.
Luckily, I had backed up my site maybe a month ago, so I just FTP’d to my account, deleted the entire wordfence folder, re-uploaded the backed up wordfence folder, then updated Wordfence, all within about 3 minutes of originally enabling the plugin.
I don’t believe they got my sites’ passwords. Since the WordPress site they did NOT infect was also inaccessible from my www.remarpro.com account, and since they seemed to get all of my WordPress sites in one attack, I am pretty sure they got to my sites via www.remarpro.com. Obviously I have since changed my www.remarpro.com password.
I’m also going to eagerly await the next automated Wordfence scan of my site to see if anything else was compromised when the fake “wordpress” plugin was enabled. (I don’t subscribe to Wordfence premium so I can’t manually scan the site.)
Does anyone know what this fake wordfence plugin does?
- The topic ‘Bogus “wordfence” plugin installed’ is closed to new replies.