Bogus “wordfence” plugin installed

  • I just wanted to alert WordPress and other users that I believe hackers are currently implementing a very clever hack.

    Today, I got four automated e-mails from each of my sites’ Wordfence Security plugin saying that the administrator user has disabled Wordfence. Logging in to each site, I noticed an all-lowercase plugin called “wordpress” that was disabled. I enabled it on one of my sites, the plugin seemed to “disappear” from the site. I should have listened to my instinct that said something was wrong with the way the plugin appeared (it should be “Wordfence Security” with capital letters, not “wordfence” all lowercase). As it turns out, this was not actually Wordfence.

    Luckily, I had backed up my site maybe a month ago, so I just FTP’d to my account, deleted the entire wordfence folder, re-uploaded the backed up wordfence folder, then updated Wordfence, all within about 3 minutes of originally enabling the plugin.

    I don’t believe they got my sites’ passwords. Since the WordPress site they did NOT infect was also inaccessible from my www.ads-software.com account, and since they seemed to get all of my WordPress sites in one attack, I am pretty sure they got to my sites via www.ads-software.com. Obviously I have since changed my www.ads-software.com password.

    I’m also going to eagerly await the next automated Wordfence scan of my site to see if anything else was compromised when the fake “wordpress” plugin was enabled. (I don’t subscribe to Wordfence premium so I can’t manually scan the site.)

    Does anyone know what this fake wordfence plugin does?

    • This topic was modified 6 years, 5 months ago by ostinatofreak.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator t-p

    (@t-p)

    I recommend asking at I recommend asking at I recommend asking at https://www.ads-software.com/support/plugin/wordfence so the plugin’s developers and support community can help you with this. so the plugin’s developers and support community can help you with this.

    • This reply was modified 6 years, 5 months ago by t-p.

    Where are you really hosting at? As far as I know, WordPress dot org doesn’t supply web hosting. You might want to have a chat with your real host about what happened. They might run a better scan on their host to alert you of any problems and it’s possible they’ll have other clients who might accidentally download the bad plugin.

    As for plugins… I don’t recommend running plugins from anywhere but the WordPress repository itself except in extreme, rare circumstances. Sometimes a theme will come with plugins that you need to be very careful with.

    Same with plugin updates. If the plugin panel says there is an update then those should be fairly trustworthy as that comes from the original source. I often wait a few days for ‘the dust to settle’ before I do updates even then.

    Themes? I don’t get real excited about theme updates! I’m usually running child themes and often have the theme looking and working the way I wish. I’ll wait until I have a block of time for theme updates. You just don’t know what might break otherwise.

    Finally, it might be a great idea to mention your problem on the WordFence support forum. They might be able to help you. explain what might have happened or come up with a fix within WordFence even.

    BTW: there is a ‘WordFence Assistant’ plugin that works to help regain access if WordFence accidentally locks you out. Was there a chance that was what you installed?

    Thread Starter ostinatofreak

    (@ostinatofreak)

    Sorry, my post above has some errors that make this look like a Wordfence issue. It isn’t a Wordfence issue, it’s just an issue that can happen to anyone whose www.ads-software.com password is compromised. The third paragraph should have read (corrections in caps):

    Luckily, I had backed up my site maybe a month ago, so I just FTP’d to my account, deleted the WORDPRESSS folders, re-uploaded the backed up WORDPRESS folder, then updated VARIOUS WORDPRESS PLUGINS, all within about 3 minutes of originally enabling the plugin.

    The fifth paragraph should have read:

    I’m also going to eagerly await the next automated Wordfence scan of my site to see if anything else was compromised when the fake “WORDFENCE” plugin was enabled. (I don’t subscribe to Wordfence premium so I can’t manually scan the site.)

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Bogus “wordfence” plugin installed’ is closed to new replies.