A newly identified malicious WordPress plugin, named “wp-runtime-cache,” is targeting WordPress sites by stealing administrator credentials through advanced methods.
Disguised as a legitimate caching plugin, it hides within the wp-content/plugins directory and evades detection by appearing in the WordPress admin plugin list, despite lacking the typical visible settings or management options found in genuine caching plugins.
Security experts observed that the plugin folder contains only a single file, wp-runtime-cache.php, unlike authentic plugins which usually have multiple files—raising immediate red flags.
How the Malware Operates
The plugin activates during user login events via the WordPress hook add_action(‘wp_login’, …) and captures login credentials from users assigned high-level roles such as manage_options (administrator) and edit_pages (editor).
When such roles are detected, the plugin collects sensitive information, including usernames and passwords, and transmits it to a remote server using WordPress’s built-in wp_remote_post function.
To avoid detection, the plugin manipulates the plugin list displayed in the admin dashboard, rendering itself invisible to regular users. It also employs code obfuscation techniques, such as random variable names and base64 encoding, commonly used by sophisticated malware to bypass security scans.
Origin and Attack Strategy
The command-and-control server domain was registered in October 2024 in Arkansas, USA, while the associated contact phone number traces to Hong Kong, indicating a deliberate attempt by attackers to conceal their true location.
Using newly registered domains is a common tactic among cybercriminals to evade reputation-based security filters.
Recommendations for WordPress Security
This incident highlights the urgent need for WordPress administrators to adopt proactive security measures:
Conduct regular audits of plugins and user accounts
Employ server-side scanning tools or security plugins such as Sucuri to detect unauthorized files
Enable two-factor authentication (2FA) and implement IP-based login restrictions to prevent unauthorized access
After a security breach, update WordPress’s wp-config.php salt values using the official WordPress Salt Generator to invalidate stolen password hashes
The case underscores the increasing complexity of cyber threats and the necessity of layered security defenses to protect critical website access.
Staying vigilant and maintaining up-to-date security protocols remain essential to prevent potentially devastating breaches.
Related Topics
- Hostinger Slashes WordPress Hosting Prices Up to $1,020
- Bluehost Launches AI-Powered WordPress Ecommerce Hosting
- Bluehost Launches WonderSuite to Simplify WordPress Site Building
