Our Site Scanner Saved Thousands of WordPress Sites from a Massive Security Attack
In the middle of June, we launched our upgraded Site Scanner service. Little did we know back then how soon we would see the new functionality in full action. Just a few months after the upgrade the Site Scanner saved thousands of WordPress sites from a well-disguised attack, aiming to redirect traffic to bogus sites through a fake plugin, called Zend Fonts. Imagine all the reputation and other business damages a hack like this could have caused and take a read how our hero, the Site Scanner, saved the day.
How does the “fake Zend Fonts plugin” work?
The attack involved uploading an infected fake plugin called Zend Fonts through a backdoor. Once uploaded, the infected plugin would redirect site visitors to bogus scam sites without the site owner even suspecting it. The uploaded plugin file looks like that:
./wp-content/plugins/zend-fonts-wp/zend-fonts-wp.php
What makes the attack really bad is that this plugin file is hidden from the wp-admin or wp-cli plugin list, meaning the WP Admins would not be able to easily spot it, due to the following function:
//hide plugin
add_filter('all_plugins', 'hide_plugins');
function hide_plugins($plugins) {
unset($plugins['zend-fonts-wp/zend-fonts-wp.php']);
return $plugins;
}
Also it is configured to trigger the redirect only if the website is accessed by a normal user, not the site admin or editor:
//do redirect if user from REF and NOT Admin
if(isset( $_SERVER['HTTP_REFERER']) && !$isAdmin){
redirect();
}
All these factors make the attack pretty much invisible for the site owners/editors, while the normal visitors would be redirected to scam sites. This hack could easily result in significant losses of sales, reputation damages, and other harms such as bad standings in search engines and more.
How did SiteGround detect the attack?
Our System Administrators monitor the load and behavior of our servers 24/7 and soon after this exploit was launched, we observed an abnormally high number of malicious files detected by our Site Scanner service crawling for malware. Our Sys Admins started digging further and spotted a pattern – there was an attempt for a massive fake Zend Fonts plugin upload affecting by that time around 2000 of our clients’ WordPress installations.
How does Site Scanner protect the sites it’s on?
Usually, in attacks like the Zend Fonts one, for the sites with Site Scanner Basic, reports are received in less than 24 hours after the malware is detected (right after the scheduled daily scan) and for those with Site Scanner Premium, an alert is received immediately after the (attempted) upload, giving our clients the opportunity to quickly react and delete the malicious files before they can cause any damage.
Furthermore, for the sites with Site Scanner Premium where quarantine is switched on, the files never reach the attacked sites – they are safely quarantined for the site owners to review and delete when convenient. The quarantine effectively stops the attack and protects the sites from malicious hack attempts, and the business and reputation impact resulting from them. And the best part – the site owners don’t have to do anything.
Using Site Scanner data to protect all clients
Once our System Administrators had detected that the Zend Fonts plugin upload was not something isolated, but was happening across the whole platform, they deleted all malicious files from our servers. Furthermore, our Security Engineers added a new rule to our web application firewall (WAF) to prevent further attacks towards other WordPress sites hosted with us.
We are quite excited to see how our Site Scanner service is actively protecting sites from a variety of really bad attacks. For massive, large-scale attacks such as the Zend Fonts plugin one, the Site Scanner helps us detect a pattern and take actions to protect all our clients by implementing WAF rules or enhancing our monitoring system. While this is something that we will continue doing, updating a platform-wide system takes some time and will not include smaller, site-specific malware attacks. If you want to have an early-on, comprehensive malware detection for your site, we strongly recommend that you activate one of our Site Scanner plans. And if you’re looking to not only detect but proactively stop malware attacks, get the Premium Site Scanner with quarantine on.
To celebrate the Site Scanner success, this #CyberSecurityMonth we offer 3 months free for any new Site Scanner activation (both Basic and Premium) made until the end of October.
Comments ( 10 )
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through
Saraj
Is the SG site scanner effective on all sites, or is it specifically designed for WordPress sites?
Gergana Zhecheva Siteground Team
The SiteGround Scanner was designed to protect all types of website applications, and it is not WordPress exclusive.
Matthew
So did site owners choose to upload Zend Fonts, or was this something hackers installed?
Gergana Zhecheva Siteground Team
The latter - it was a fake plugin redirecting website visitors to unrelated scam sites. Our monitoring tools noticed the fake plugin upload attempts blocked by the Site Scanner, which resulted in the addition of the new security rule in our firewall. That is how Site Scanner saved the day for all WordPress users hosted on SiteGround. :)
Valiik
How did the hackers get into the server to upload the plugin in the first place and then activate it? They must have gotten access to the server or something? Was this because the site owner did not update something on time or did the hackers get access to the entire server and planted the plugin into all the sites on the server?
Mila Kanazirska Siteground Team
The attack involved uploading an infected fake plugin/file through a backdoor, which could be anything from not up to date plugin or a theme on your website. That affected random sites with outdated versions, not all on a single server. That is why it is essential to keep everything updated to the latest available version and to research carefully before installing a plugin on your website.
Objx128
What was the backdoor? Something within Wordpress, or something within your own system?
Mila Kanazirska Siteground Team
The backdoor can be different for different sites. It can be anything from not up to date plugin or a theme. That is why random sites were affected, and we always say how important it is to ensure you use the latest available versions.
Charles
Well, how does my admin check to see if Scanner premium is installed and quarantine is on?
Mila Kanazirska Siteground Team
The Site Scanner Premium can be activated by the owner from the Client Area. Once done, you can set your admin with collaborator access to the site, and he will be able to adjust the settings and monitor the reports. If you need more information, reach our support team directly for assistance.
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through