Blog

Stealthy Malware Targeting Wordfence

Benjamin Hosack
Jul 11, 2024
1 min read

Tags:

Malware
Cybersecurity

During a recent investigation into a compromised eCommerce website, a suspicious file modification was detected that coincided with the introduction of malware into the system. A file associated with WordFence, a popular security plugin for WordPress, had its size increased by a mere 39 bytes. An initial review did not reveal any obvious backdoor, which is commonly expected with such minor changes.

To pinpoint the exact modifications, a fresh copy of the WordFence plugin was downloaded for manual comparison. The team found that only two lines had been added to the file.

Wordfence malware insertion

The first line, "@chmod(FILE, 0444);", changed the file permissions to read-only, preventing any further changes or updates. The second addition was a single "continue" statement, strategically placed within a while loop that processes each file on the filesystem during a scan. This placement caused the loop to skip processing entirely, effectively preventing the WordFence scanner from detecting any files.  This enabled the criminals to load malicious code elsewhere in the site that would not trigger an alert in Wordfence.

Wordfence scanner corrupted by hackers

This incident underscores the importance of File Integrity Monitoring (FIM). Such subtle modifications might appear harmless and would likely evade detection by traditional malware scanners.  

However, with ThreatView Advanced, forensic-level analytics are built into the technology, enabling a full file change review within seconds.  As an example, here is a screenshot of a change comparison of code within a file with malware inserted:

ecommerce file change analysis

Proactive security. Simplified.

TRY THREATVIEW ADVANCED

Article by Bhavin Patel, Foregenix Threat Intelligence Group

Read Other Blog Articles

Digital Skimmer Targeting Is Shifting: What the Last 3 Months Tell Us

Turaco Labs
June 17, 2026
3 mins
eCommerce
Malware
Web Security

Over the last three months, the digital skimmer landscape has changed noticeably. Based on the latest ThreatView charts, Magento 2 remains the most targeted platform, but the biggest movement is elsewhere: Shopify has risen sharply and now appears to be the second most targeted platform for digital skimmers.

PrestaShop Attacks Are Escalating - What We’re Seeing and What Merchants Should Do Now

Turaco Labs
June 3, 2026
4 mins
eCommerce
Cybersecurity
Malware

In February 2026, we detected 327 compromised PrestaShop websites running card-harvesting malware loaders or digital skimmer malware. By the beginning of June 2026, that number had risen to 1,068. This is an active, expanding campaign affecting a growing number of merchants.

PolyShell and Magento: what merchants should do now

Turaco Labs
25 March 2026
4 mins
eCommerce
Magento
Malware
Web Security

A practical guide for Magento and Adobe Commerce merchants dealing with PolyShell: what it is, how to detect compromise, how ThreatView helps, and what to do next.

Proudly, designed, developed and maintained by Tecbot.