Frequent malware in cached pages

Hello @florismk,

Thanks for reaching out to us and reporting this.

Can you tell us more about the security threats/reports you got from Wordfence regarding WP Super Cache? Can you share a screenshot or text copy of what the threat reports actually say?

Look forward to hearing from you!

Hi,

Your site is infected by something. The code that malware adds to the pages of your site is being called by this plugin and thankfully getting detected then.

I find your other thread here: https://www.ads-software.com/support/topic/supercache-file-critical-warning-2/

I don’t know why your site is being targeted but there’s some vulnerability there that an attacker is taking advantage of. It’s not this plugin that is vulnerable, as far as we are aware. We would have received many more reports of this happening if that were the case.

If you have other software installed on your server besides WordPress that may be vulnerable, or if you have custom code there may be vulnerabilities in it.

Hi @tamirat22, thanks for your response! The report says something along these lines (with the file name varying):

/mnt/web003/e2/70/511363570/htdocs/floriskleijne.nl/wp-content/cache/supercache/www.floriskleijne.nl/meta-wp-cache-3c685ba0ad8c85ade50e389730ed2748.php

Backdoor: PHP/PD9.5376 (A backdoor known as PD9).

(Thanks to @donncha for finding my previous thread about this in the WordFence forum.)

Thanks for your reply, @donncha. There is no other software installed that I’m aware of, it’s a shared hosting server at a reputable hosting provider. And the affected site is actually the one without any of my custom code.

So if there’s a vulnerability, it’s in an official repository plugin or theme that I keep up-to-date automatically.

I have no idea how to go about finding the vulnerability though. Selectively disabling plugins and themes and waiting for the problem not to occur seems a time-consuming approach, and hardly foolproof, as it’s impossible to prove a negative.

Hello there,

As the issue mentioned “PHP”, I would advise updating your PHP version to prevent any vulnerabilities in older versions.

Also, I would recommend getting in touch with your hosting provider and ask them for more help on what could be causing the issue.

You could also contact WordFence and ask for more details on the issue. They may be able to explain what is causing the problem.

Starting a new thread on the WordFence forum. My PHP version is up to date.

Thanks for the update @florismk and we’d love to hear what the Wordfence team has to say about this.

In the meantime, I have shared your threat report with our product team to see if they have any insights into this.

Thanks. The WordFence topic is here: Frequent malware in WP Super Cache cached pages | www.ads-software.com

WordFence feedback is that WP Super Cache caches requests, and these requests may include the malware in GET parameters or cookies. What may be happening, according to them, is that WordFence blocks the attempt, but the request URL is nevertheless cached. So the malware does not reach the rest of the site, just the cache. Does that make sense to you guys?

In the WordFence thread, someone suggested strongly that I should set WPSC to serve after Init. Is that best practice in the presence of WordFence?

I replied on the Wordfence thread with some ideas. I don’t think there’s any need to use “late init”.

I’m very certain this is a false positive anyway and nothing to worry about.

Thanks, @donncha, I’ll keep the discussion in the WordFence thread then.

Sounds like a good plan! I will go ahead and close this thread for now since the issue is being tracked in a separate thread!

Thank you!