How Malware Disables Security Plugins on a WordPress Website

A website built on WordPress is easy to program but comes with security issues if you do not place proper controls on your data. Typically, WordPress users add security plugins, which do the job of notifying the user when unauthorized access occurs. However, there are certain drawbacks to using security plugins.

Even though security plugins do notify the user of any security breach, there is no guarantee that the security plugin itself will not be hacked. Yes, attackers of a website know all about the working of security plugins and have devised ways to disable them.

Attackers have previously tried to reverse the security hardening measures provided by these plugins that held website data in place. Even though they might have been temporarily successful, the notifications received by the plugins allowed the users to harden the security measures again. To counter this challenge, attackers devised a novel way to break through security plugins, which is, the PHP malware.

The PHP Malware

The PHP malware is notorious and a boon to the attacker because it strikes at the source, which means, instead of undoing the security measures, it disables the security plugins themselves. As a result, when an attacker tries to steal your WordPress website data, the security plugins can no longer send you notifications about something going wrong.

The only way a user can find out is if they happen to check the status of the plugins and see them as disabled. Even then, simply reactivating the security plugins will not solve the issue. The PHP malware is built in a way that as soon as you reactivate a plugin, it deactivates it again promptly. No matter how many times you reactivate it, the malware will continue to disable it.

Another way in which the PHP malware has an advantage over other attacking methods is that it only disables the security plugins, leaving the others intact. So, you could continue to work on your website without any hindrance for a long time without even knowing that its security has been compromised.

How Does it Disable the Plugins?

This malware begins by attacking the root directory of your WordPress website. It typically is generated within the file ./wp-includes/IXR/class-IXR-cache.php. It then assigns the root directory to DIZIN’, which changes how the file wp-load.php loads. As this is a core WordPress file, confusing its direct loading technique is the attacker’s primary motive. The malware achieves this operation through the require_once’ function.

The attacker then uses two functions, of which one is called findinSecurity’, which sorts the array of all the plugins. The second function, called secList, is an array of plugins that the attacker is looking for, which are the security plugins. This list contains popular WordPress security plugins such as Security Ninja, Ninja Firewall, Better WP Security, Wordfence, and many more.

In the next step, the malware uses WordPress’s built-in get_option (active plugins’) command to see a list of the active plugins. It then runs the functions findinSecurity’ and secList to find the targeted security plugins that are active.

Then, using the command deactivate_plugins’, it disables the security plugins. Because the malware was injected into the core WP file and goes through the require_once’ function at every page load, even if you re-enable the plugins, they automatically get disabled at the next page refresh.

What You Can Do to Avoid Data Leaks

Where this kind of PHP malware is considered, relying on simple WordPress security plugins is not enough. To offer complete protection to your website, you must have a robust security process in place that works outside the WordPress interface.

A great way to take care of this is to use a server-side scanner. These scanners identify malware at the server end before they reach your website. The best part is, you can use these scanners irrespective of whether you use WordPress or any other website building platform.

Can the attacker disable a server-side scanner? They most certainly can. But the advantage of using a server-side scanner is that if it gets disabled, the connection between your website and the server will be lost. This means that you are informed that something inappropriate is going on at the server end. In such a scenario, you can protect your website from inadvertent data leaks by temporarily shutting it down while technicians investigate the issues on the server-side.

Implementing a robust security system for your WordPress website is crucial to keep hackers at bay. Unfortunately, security plugins do not always do a thorough job as PHP malware can easily disable them. It is, therefore, best to use server-side scanners and monitoring software to protect your website from falling victim to unauthorized access.

The No Plugin Option

Rocket.net (that’s us) provides fully integrated and ready to use CDN/WAF, powered by CloudFlare Enterprise is pre-configured and ready to use, meaning without much knowledge you can deploy a scalable WordPress installation to 200+ pops, enjoy full page caching and be protected by an enterprise WAF, without the need for a single plugin!