Our Site Scanner Saved Thousands of WordPress Sites from a Massive Security Attack
In the middle of June, we launched our upgraded Site Scanner service. Little did we know back then how soon we would see the new functionality in full action. Just a few months after the upgrade the Site Scanner saved thousands of WordPress sites from a well-disguised attack, aiming to redirect traffic to bogus sites through a fake plugin, called Zend Fonts. Imagine all the reputation and other business damages a hack like this could have caused and take a read how our hero, the Site Scanner, saved the day.
How does the “fake Zend Fonts plugin” work?
The attack involved uploading an infected fake plugin called Zend Fonts through a backdoor. Once uploaded, the infected plugin would redirect site visitors to bogus scam sites without the site owner even suspecting it. The uploaded plugin file looks like that:
./wp-content/plugins/zend-fonts-wp/zend-fonts-wp.php
What makes the attack really bad is that this plugin file is hidden from the wp-admin or wp-cli plugin list, meaning the WP Admins would not be able to easily spot it, due to the following function:
//hide plugin
add_filter('all_plugins', 'hide_plugins');
function hide_plugins($plugins) {
unset($plugins['zend-fonts-wp/zend-fonts-wp.php']);
return $plugins;
}
Also it is configured to trigger the redirect only if the website is accessed by a normal user, not the site admin or editor:
//do redirect if user from REF and NOT Admin
if(isset( $_SERVER['HTTP_REFERER']) && !$isAdmin){
redirect();
}
All these factors make the attack pretty much invisible for the site owners/editors, while the normal visitors would be redirected to scam sites. This hack could easily result in significant losses of sales, reputation damages, and other harms such as bad standings in search engines and more.
How did SiteGround detect the attack?
Our System Administrators monitor the load and behavior of our servers 24/7 and soon after this exploit was launched, we observed an abnormally high number of malicious files detected by our Site Scanner service crawling for malware. Our Sys Admins started digging further and spotted a pattern – there was an attempt for a massive fake Zend Fonts plugin upload affecting by that time around 2000 of our clients’ WordPress installations.
How does Site Scanner protect the sites it’s on?
Usually, in attacks like the Zend Fonts one, for the sites with Site Scanner Basic, reports are received in less than 24 hours after the malware is detected (right after the scheduled daily scan) and for those with Site Scanner Premium, an alert is received immediately after the (attempted) upload, giving our clients the opportunity to quickly react and delete the malicious files before they can cause any damage.
Furthermore, for the sites with Site Scanner Premium where quarantine is switched on, the files never reach the attacked sites – they are safely quarantined for the site owners to review and delete when convenient. The quarantine effectively stops the attack and protects the sites from malicious hack attempts, and the business and reputation impact resulting from them. And the best part – the site owners don’t have to do anything.
Using Site Scanner data to protect all clients
Once our System Administrators had detected that the Zend Fonts plugin upload was not something isolated, but was happening across the whole platform, they deleted all malicious files from our servers. Furthermore, our Security Engineers added a new rule to our web application firewall (WAF) to prevent further attacks towards other WordPress sites hosted with us.
We are quite excited to see how our Site Scanner service is actively protecting sites from a variety of really bad attacks. For massive, large-scale attacks such as the Zend Fonts plugin one, the Site Scanner helps us detect a pattern and take actions to protect all our clients by implementing WAF rules or enhancing our monitoring system. While this is something that we will continue doing, updating a platform-wide system takes some time and will not include smaller, site-specific malware attacks. If you want to have an early-on, comprehensive malware detection for your site, we strongly recommend that you activate one of our Site Scanner plans. And if you’re looking to not only detect but proactively stop malware attacks, get the Premium Site Scanner with quarantine on.
To celebrate the Site Scanner success, this #CyberSecurityMonth we offer 3 months free for any new Site Scanner activation (both Basic and Premium) made until the end of October.
