Plugin Change Detection
Alert ID: plugin_changes
MITRE ATT&CK: T1072 – Software Deployment Tools · T1505 – Server Software Component
Severity / Criticality
Section titled “Severity / Criticality”| Level | Condition |
|---|---|
| Low | Plugin update or deactivation |
| Medium | Existing plugin activation |
| High | Plugin installation or deletion |
Why is it considered malicious?
Section titled “Why is it considered malicious?”- Malicious plugins: a major WordPress attack vector.
- Supply-chain attacks: compromised plugins from official or third-party repositories.
- Hidden backdoors: extensions with legitimate-looking names but malicious code.
- Privilege escalation: vulnerable plugins that grant administrative access.
- Data theft: plugins designed to extract sensitive site or user information.
When does the alert trigger?
Section titled “When does the alert trigger?”- Activation:
activated_pluginhook. - Deactivation:
deactivated_pluginhook. - Installation:
upgrader_process_completewithaction=install. - Update:
upgrader_process_completewithaction=update. - Deletion:
deleted_pluginhook.
Technical Indicators (IOCs)
Section titled “Technical Indicators (IOCs)”| Type | Pattern / Example | Description |
|---|---|---|
file_pattern | wp-striplple, wp-vcd, initiator | Known malicious plugins |
file_pattern | eval-php, wp-filemanager | Dangerous or vulnerable plugins |
behavior | *backup*, *clone*, *migrate* | Suspicious generic names |
behavior | Plugins outside wp-content/plugins | Anomalous location |
behavior | Permissions 777 | Uncontrolled execution risk |
Common false positives
Section titled “Common false positives”- Legitimate automatic updates.
- Installations or deletions by authorized administrators.
- Development or staging environments with temporary tests.
- Planned maintenance or controlled deployments.
Investigation steps
Section titled “Investigation steps”-
Verify plugin origin:
Terminal window wp plugin verify [plugin-name] -
Compare version and integrity with the official repository:
Terminal window wp plugin check-update [plugin-name] -
Search for malicious code:
Terminal window grep -r "eval\|base64\|exec" wp-content/plugins/[plugin-name] -
Check reputation and source: repository, active installs, and reviews.
Recommended mitigations
Section titled “Recommended mitigations”=== “Immediate”
!!! danger "" - Immediately deactivate any suspicious plugin. - Verify integrity using official checksums when available. - Scan with tools such as **WPScan** or similar. - Review recent file and configuration changes.=== “Preventive”
!!! tip "" - Implement an approval policy before new installations. - Use only plugins from the official WordPress repository or trusted vendors. - Test updates in staging first. - Monitor active vulnerabilities through reputable WordPress vulnerability sources. - Restrict the `install_plugins` capability to trusted accounts.References
Section titled “References”- WordPress Plugin Security
- WPScan Vulnerability Database