From a 7 KB file to a 13-year backdoor operation

TL;DR

A tiny 7 KB file in a WordPress plugin revealed a 13-year backdoor operation controlling dozens of plugins and multiple accounts. The investigation uncovered a sophisticated, long-term malicious infrastructure.

A 7 KB binary file found in a WordPress plugin has exposed a covert backdoor operation that has been active for 13 years, controlling dozens of plugins and multiple wp.org accounts. This discovery highlights a long-term, large-scale malicious infrastructure that operated in plain sight.

The investigation began when the wp.org Plugin Review Team removed a file called wp-math-captcha.dat from the plugin wp-advanced-math-captcha. This file was not typical; it was a compressed binary that, when decoded, contained PHP code serving as a dropper for a backdoor. The backdoor, named siteguarding_tools.php, was a remote-access tool that installed itself, registered with a command-and-control server, and then deleted itself from the site.

Further analysis revealed that the same operator controlled at least 44 plugins and 19 wp.org accounts over a span of 13 years. The operation involved multiple burner accounts and a network of domains and IP addresses, all linked through DNS lookups. Notably, a domain called cmsplughub.com was hosted on the same server and nameservers as the main control infrastructure, directly tying it to the same malicious operator.

Additional plugins, such as image-optimizer-x, were found to have embedded code that communicated with the same command server, indicating a coordinated effort. The operation used seemingly legitimate plugins as vectors for malicious payloads, including license validation tools and other utilities that appeared benign but were used for remote control.

Implications of a 13-Year, Large-Scale WordPress Backdoor Network

This discovery matters because it reveals a sophisticated, long-running cyber espionage and control operation embedded within widely used WordPress plugins. The operation’s scale—controlling dozens of plugins and multiple accounts—demonstrates a significant threat to website security, potentially affecting thousands of sites. It underscores the importance of rigorous code review and monitoring of plugin updates, especially for plugins with high install counts.

Furthermore, the operation’s ability to hide malicious activities within legitimate-looking code and its use of infrastructure that mimics legitimate hosting providers complicate detection efforts. This case highlights the need for improved detection tools and proactive security measures in the WordPress ecosystem.

WordPress Security: Essential WordPress Security Plugins and Step-by-Step Guide to Securing Your WordPress Website and Stopping Hackers (WordPress Security, WordPress Plugins, WordPress Book 1)

WordPress Security: Essential WordPress Security Plugins and Step-by-Step Guide to Securing Your WordPress Website and Stopping Hackers (WordPress Security, WordPress Plugins, WordPress Book 1)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Long-Running Malicious Infrastructure in WordPress Ecosystem

The investigation traces back to 2013, when a now-defunct account, @siteguarding, registered on wp.org. Over the years, the operator created numerous plugins and accounts, often under pseudonyms, embedding malicious code that could be activated remotely. The initial discovery was triggered by routine plugin closures, which led to the decoding of a compressed binary file in a captcha plugin. This file turned out to be a dropper for a backdoor that communicated with a command server.

Subsequent analysis uncovered a pattern of similar code, domains, and hosting infrastructure. The operator used multiple burner accounts and domains, often registered with fake information, to maintain operational security. The entire network was managed through a set of shared DNS servers and IP addresses, making it difficult to distinguish malicious activity from legitimate hosting at first glance.

This long-term operation demonstrates how malicious actors can embed persistent backdoors in widely used software, maintaining control over infected sites for over a decade without detection.

“The discovery of a 7 KB file leading to a 13-year backdoor operation underscores the sophistication of malicious actors hiding within legitimate plugins.”

— Security researcher

Amazon

website malware scanner

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Remaining Questions About the Full Scope of the Operation

While the investigation uncovered extensive control over 44 plugins and 19 accounts, it is not yet clear how many websites were compromised or if additional malicious payloads remain undetected. The full extent of the backdoor’s reach and whether other operators were involved are still under investigation. Details about the command-and-control infrastructure and whether it is still active are also uncertain.

Amazon

WordPress plugin vulnerability scanner

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Next Steps in Investigating and Mitigating the Threat

Security researchers plan to continue analyzing the network of domains, plugins, and accounts linked to the operation. WordPress security teams are expected to issue alerts and recommend updates or removals for affected plugins. Ongoing monitoring of infected sites and further code audits are likely to identify additional compromised assets. Law enforcement agencies may also become involved if criminal activity is confirmed.

McAfee Total Protection 3-Device 2025 Ready |Security Software Includes Antivirus, Secure VPN, Password Manager, Identity Monitoring | 1 Year Subscription with Auto Renewal

McAfee Total Protection 3-Device 2025 Ready |Security Software Includes Antivirus, Secure VPN, Password Manager, Identity Monitoring | 1 Year Subscription with Auto Renewal

DEVICE SECURITY – Award-winning McAfee antivirus, real-time threat protection, protects your data, phones, laptops, and tablets

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

How was the backdoor discovered?

The backdoor was uncovered after the wp.org Plugin Review Team removed a suspicious file from a plugin, which was decoded and revealed malicious code.

What is the significance of the 13-year timeline?

The timeline indicates a long-term, persistent operation that managed to evade detection for over a decade, highlighting the sophistication of the threat actor.

Could my website be affected?

If you use plugins linked to the identified malicious network, your site could be at risk. It is recommended to review and update plugins, especially those with suspicious activity or code.

Are the affected plugins still active or malicious?

Some plugins may still be compromised or contain remnants of malicious code. Users should update or remove affected plugins and monitor their sites for unusual activity.

What can WordPress users do to protect themselves?

Regularly update plugins, use security plugins to scan for malicious code, and stay informed about security alerts from WordPress and security researchers.

Source: Hacker News


You May Also Like

The bottom rung. The danger isn’t the lost jobs. It’s the layer that made the seniors.

Entry-level job postings in the US are sharply declining, but the deeper concern is the loss of the apprenticeship layer that trains future senior workers, with uncertain long-term effects.

That viral clip you saw of someone winning big on Polymarket was probably fake

A Wall Street Journal investigation reveals that viral clips of big wins on Polymarket are fabricated, with over 1,100 fake videos paid for by the platform.

Week in Politics: U.S.-Israel ties; Trump and Vance oppose ceasefire critics

This week saw strengthened U.S.-Israel ties and prominent figures opposing ceasefire critics amid ongoing Middle East tensions.

Claude Guillemot, one of Ubisoft’s co-founders, has died in a plane crash

Claude Guillemot, co-founder of Ubisoft, died in a plane crash near La Baule, France, on June 19. The incident also claimed another victim.