GoKawiilLast week, I wrote about catching a supply chain attack on a WordPress plugin called Widget Logic. A trusted name, acquired by a new owner, turned into something malicious. It happened again. This time at a much larger scale.
30+ Plugins compromised 31 Closed by WordPress.org 8 months Backdoor dormant before activation 6 figures Paid on Flippa for the portfolio
A client reported a security notice they found in wp-admin.
Ricky from Improve & Grow emailed us about an alert he saw in the WordPress dashboard for a client site. The notice was from the WordPress.org Plugins Team, warning that a plugin called Countdown Timer Ultimate contained code that could allow unauthorized third-party access.
I ran a full security audit on the site. The plugin itself had already been force-updated by WordPress.org to version 2.6.9.1, which was supposed to clean things up. But the damage was already done.
The malware was hiding in wp-config.php.
The plugin’s wpos-analytics module had phoned home to analytics.essentialplugin.com , downloaded a backdoor file called wp-comments-posts.php (designed to look like the core file wp-comments-post.php ), and used it to inject a massive block of PHP into wp-config.php.
The injected code was sophisticated. It fetched spam links, redirects, and fake pages from a command-and-control server. It only showed the spam to Googlebot, making it invisible to site owners. And here is the wildest part. It resolved its C2 domain through an Ethereum smart contract, querying public blockchain RPC endpoints. Traditional domain takedowns would not work because the attacker could update the smart contract to point to a new domain at any time.
The forced update did not clean wp-config.php WordPress.org’s v2.6.9.1 update neutralized the phone-home mechanism in the plugin. But it did not touch wp-config.php. The SEO spam injection was still actively serving hidden content to Googlebot.
I used backup forensics to pinpoint the exact injection window.
... continue reading