Fake WordPress Caching Plugin Steals Admin Credentials, Experts Warn Site Owners

Cybersecurity analysts have issued a stark warning to WordPress site owners after uncovering a sophisticated fake caching plugin, dubbed wp-runtime-cache, that silently exfiltrates admin credentials.

The malicious plugin, discovered during a routine malware scan, exploits WordPress’s plugin architecture and cleverly masks its presence, making detection especially difficult for even seasoned administrators.

Technical Analysis: How the Malware Operates

At first glance, wp-runtime-cache appears benign, mimicking the naming conventions of legitimate performance plugins.

However, unlike authentic caching plugins, it doesn’t display any settings in the WordPress Dashboard and remains hidden from the standard plugins list.

A deeper inspection of the plugin folder reveals only a single PHP file (wp-runtime-cache.php)—another indicator of suspicious activity, as functional plugins typically require multiple files for interface and logic.

Key Red Flags in Code

The initial review of the file raises multiple alarms:

• Empty Metadata: No author, URL, or description is specified — a hallmark of hastily assembled malware.
• Base64 Obfuscation: The code leverages base64 encoding to mask function names, roles, and URLs, a common tactic to avoid detection.
• Randomized Variable Names: Variables like $woocomHeic0971, $pbes2PITR0339, and $infiltrateDocumentStore0460 obfuscate the code’s real intent.
• Suspicious User Roles: Encoded role checks specifically target high-privilege users (manage_options for admins, edit_pages for editors).

Credential Harvesting Workflow

The core function is triggered on every admin login:

phpadd_action('wp_login', 'octopusJson50286', 10, 2);

function octopusJson50286($username, $user_object) {
    // Gather username, password, roles
    // ... (base64_decode obfuscation)
    // Check if user is admin/editor
    // If yes, exfiltrate via POST
}

Decoded, the malware checks if the logging-in user matches an administrator or editor role using these role labels:

phpbWFuYWdlX29wdGlvbnM= // manage_options (Admin)
ZWRpdF9wYWdlcw==     // edit_pages (Editor)

If matched, it packages the username, password, and privilege details, and sends the data via WordPress’s wp_remote_post function to an attacker-controlled domain:

phpaHR0cHM6Ly93b29jb21tZXJjZS1jaGVjay5jb20vcmVwb3J0LXRv
// Decodes to: https://woocommerce-check[.]com/report-to

Stealth Tactics

To avoid arousing suspicion, the plugin hooks into the admin interface and employs custom hashing to hide itself from users except for the attacker’s own account, identified by a unique hardcoded hash.

This ensures normal administrators cannot see or deactivate the malicious plugin via the dashboard.

Attacker Infrastructure & Recommendations

The exfiltration domain, woocommerce-check[.]com, was registered mere months ago, with suspicious registration details blending a U.S. state with a Hong Kong phone prefix, hinting at attempts to obscure operational origins.

Security experts recommend:

• Audit Plugins Regularly: Manually review wp-content/plugins for unknown or single-file plugins, especially those not listed in the admin panel.
• Harden Authentication: Enable two-factor authentication (2FA) and restrict admin login via IP whitelisting.
• Monitor File Changes: Deploy security plugins (e.g., Sucuri, Wordfence) that flag new or modified files.
• Rotate Credentials: Change admin passwords regularly in the event of compromise.

This incident underscores the escalating sophistication of WordPress supply-chain and credential theft attacks. Even seemingly innocuous plugins can harbor deep threats. Only frequent auditing, layered defenses, and vigilance can keep site owners protected in an evolving threat landscape.