Malicious plug-ins are not only used to keep access to the compromised database but also to mine for cryptocurrencies.

Researchers at website security firm Sucuri found that in recent months the number of malicious plug-ins has increased. The elements are copies of legitimate and harmful code.

Such fake plugins are usually used to give attackers database access even after the infection vector is removed. Yet code can also be included for other purposes, such as blog authentication.

Full Shedding

One of Sucuri’s plugins found to have a double target is a “wpframework” clone. It was discovered in September and used by hackers as a “unauthorized access to and maintenance of the website system,” according to the researchers.


It is not clear which plugin it impersonates, although one with this name exists in the public repository of WordPress, but its production seems to have stopped in 2011. It still has over 400 active installations, however.

In addition to scanning for database command execution functions and restricting this privilege to the botmaster, the plugin also has software to run the cryptocurrency mining Linux binary.


It was no longer active when the researchers checked the referenced domain hosting the binary. Nevertheless, the component’s backdoor functionality remained present.

On 18 September the mining portion was added to the Virus Total antivirus test platform and is currently detected by 25 out of 56 motors.

Generate Malicious Plugins

While Sucuri does not provide information on why malicious plugins are more common, it is worth noting that they are far from being an effort.

Instead of developing a WordPress malicious plugin, an attacker may change the existing code to include malicious components.

In addition, there are automated tools that can create a plugin with an attacker’s name and lock it to an arbitrary payload, such as a reverse shell.

In addition, the Internet provides the necessary tutorials for low qualified attackers to learn how to build these fake components of the website.

Sucuri suggests that webmasters also test additional site components when cleaning up malware as this practice is often limited to WordPress core files. Themes and plugins are often migrated without prior examination. This helps hackers to retain grip on the new site through the loophole in third-party extensions.


Categorized in: