Our Site Scanner has saved thousands of WordPress sites from a massive security attack
Posted: Sun Feb 16, 2025 6:08 am
In mid-June, we launched our updated Site Scanner service . Little did we know at the time how soon we would see the new feature in full action. Just a few months after the update, Site Scanner saved thousands of WordPress sites from a well-disguised attack that aimed to redirect traffic to fake sites through a plugin called Zend Fonts. Imagine the damage a hack like this could have caused to your reputation and business. Find out how this hero called Site Scanner saved the day.
How does the “fake Zend Fonts plugin” work?
The attack was based on loading a fake plugin called Zend Fonts through a gcash database backdoor. Once loaded, the infected plugin redirected site visitors to fake sites without the site owner's knowledge. The uploaded plugin file looked like this:
./wp-content/plugins/zend-fonts-wp/zend-fonts-wp.php
What makes the attack really harmful is that this file was hidden from the wp-admin or wp-cli plugin list, which made it difficult for WP administrators to locate it, because of the following function:
}
It was also configured to activate the redirect only if a normal user accessed the website, not the site administrator or editor:
/
}
All these factors make the attack virtually invisible to the site owners/editors, while regular visitors were redirected to scam sites. This hack could easily have resulted in significant sales losses, reputation damage, and other problems such as poor search engine rankings.
How did SiteGround detect the attack?
Our system administrators monitor the load and behavior of our servers 24/7 and soon after this exploit was launched, we saw an unusually high number of malicious files detected by our Site Scanner service. Our system administrators began investigating further and spotted a pattern: there was a mass upload attempt of the fake Zend Fonts plugin affecting approximately 2000 of our customers’ WordPress installations at the time.
How does Site Scanner protect sites that use it?
Typically, in attacks like the Zend Fonts one, for sites with Site Scanner Basic, reports are received within 24 hours of malware being detected (right after the scheduled daily scan), and for those with Site Scanner Premium, an alert is received immediately after the (attempted) upload, giving our customers the opportunity to react quickly and delete the malicious files before they can cause damage.
Additionally, for sites with Site Scanner Premium that have file quarantine enabled , the files never reach the attacked sites—they are safely quarantined for site owners to review and delete when appropriate. Quarantine effectively blocks the attack and protects sites from hacking attempts and the impact that would result. And the best part is that site owners don’t have to do anything.
How does the “fake Zend Fonts plugin” work?
The attack was based on loading a fake plugin called Zend Fonts through a gcash database backdoor. Once loaded, the infected plugin redirected site visitors to fake sites without the site owner's knowledge. The uploaded plugin file looked like this:
./wp-content/plugins/zend-fonts-wp/zend-fonts-wp.php
What makes the attack really harmful is that this file was hidden from the wp-admin or wp-cli plugin list, which made it difficult for WP administrators to locate it, because of the following function:
}
It was also configured to activate the redirect only if a normal user accessed the website, not the site administrator or editor:
/
}
All these factors make the attack virtually invisible to the site owners/editors, while regular visitors were redirected to scam sites. This hack could easily have resulted in significant sales losses, reputation damage, and other problems such as poor search engine rankings.
How did SiteGround detect the attack?
Our system administrators monitor the load and behavior of our servers 24/7 and soon after this exploit was launched, we saw an unusually high number of malicious files detected by our Site Scanner service. Our system administrators began investigating further and spotted a pattern: there was a mass upload attempt of the fake Zend Fonts plugin affecting approximately 2000 of our customers’ WordPress installations at the time.
How does Site Scanner protect sites that use it?
Typically, in attacks like the Zend Fonts one, for sites with Site Scanner Basic, reports are received within 24 hours of malware being detected (right after the scheduled daily scan), and for those with Site Scanner Premium, an alert is received immediately after the (attempted) upload, giving our customers the opportunity to react quickly and delete the malicious files before they can cause damage.
Additionally, for sites with Site Scanner Premium that have file quarantine enabled , the files never reach the attacked sites—they are safely quarantined for site owners to review and delete when appropriate. Quarantine effectively blocks the attack and protects sites from hacking attempts and the impact that would result. And the best part is that site owners don’t have to do anything.