WP Beacon
Audit #44 Malicious Closed by wp.org
Show full summary
A SiteGuarding security-branded front, surfaced by the clean-on-closure hunt. Unlike the documented closures that left malware in trunk, WP.org's plugin-master force-pushed a "Removing" commit at closure that stripped the payload file core/scan_sigs_db.dat.
The deception. core/scan.php is a web-reachable PHP entrypoint: it defines its own ABSPATH (walking up the directory tree) and then include_once()s core/scan_sigs_db.dat. The .dat masquerades as a "scan signatures database" but is in fact PHP source (<?php /* Author: ByteDefense ... */). The plugin reaches core/scan.php via wp_remote_get(plugin_dir_url().'core/scan.php'). This is a disguised-extension code-execution pattern — the same .dat-as-PHP technique as the other SiteGuarding burners.
Hidden SiteGuarding domain. core/admin-support.php builds its URLs as str_replace("v","","svitevguardvinvgv") → "siteguarding", producing livechat.siteguarding.com/chat.php and www.siteguarding.com/en/buy-service/security-package-premium?pgid=BYTEDEF and siteguarding.com/en/protect-your-website?pgid=BYTEDEF. The pgid=BYTEDEF product code ties the plugin to SiteGuarding's commercial funnel. The junk-char obfuscation ("v" insertion) is the same TTP as speedup-optimization ("j" insertion, audit #42).
Shape match to the original portfolio. "ByteDefense Security" is a security-scanner-branded plugin (core/scan.php, admin-geo.php, admin-database.php, livechat asset) — the same SaaS-security shape as the 2013-2020 @siteguarding antivirus portfolio (audit #27). This is the operator re-launching the security-scanner front under a fresh 2025 burner account.
Why the IOC scanner missed it. The domain is str_replace-obfuscated and the executable payload is in a .dat file, so neither the domain IOC nor the PHP-pattern IOCs matched.
Exposure. 0 active installs at closure — caught early.
Site owners should remediate immediately. Plugin author: see the steps below to clear this label.
If you run bytedefense on your site
Verify your install matches the wp.org canonical version:
wp plugin verify-checksums bytedefenseA patched build isn't yet published for this audit. Check the security advisories index or remove the plugin until one is available.
Or remove the plugin entirely:
wp plugin deactivate bytedefense
wp plugin delete bytedefensePlugins under the same committer's SVN access
lanechristian891 holds push access to 1 plugin totalling — active installs.
IOCs extracted (3)
| Kind | Value | Confidence |
|---|---|---|
| changelog_phrase | pgid=BYTEDEF |
medium |
| code_pattern | svitevguardvinvgv |
high |
| filename | scan_sigs_db.dat |
medium |
Audit #44 — bytedefense
- Plugin: bytedefense ("ByteDefense Security")
- Active installs: 0 (at closure)
- Event: #3165
recent_prt_intervention· medium · clean-on-closure hunt 2026-06-14 - Suspect committer / account: lanechristian891 (display "ByteDefense", joined 2025-03-22, empty profile)
- Pre-clean trunk: r3387253 (lanechristian891, 2025-10-30)
- WP.org cleaning commit: r3390098 (plugin-master, 2025-11-05 "Removing")
- Closed on wordpress.org: 2025-10-24 (closed_reason: guideline-violation)
Summary
A SiteGuarding security-branded front, surfaced by the clean-on-closure hunt. Unlike the documented closures that left malware in trunk, WP.org's plugin-master force-pushed a "Removing" commit at closure that stripped the payload file core/scan_sigs_db.dat.
The deception. core/scan.php is a web-reachable PHP entrypoint: it defines its own ABSPATH (walking up the directory tree) and then include_once()s core/scan_sigs_db.dat. The .dat masquerades as a "scan signatures database" but is in fact PHP source (<?php /* Author: ByteDefense ... */). The plugin reaches core/scan.php via wp_remote_get(plugin_dir_url().'core/scan.php'). This is a disguised-extension code-execution pattern — the same .dat-as-PHP technique as the other SiteGuarding burners.
Hidden SiteGuarding domain. core/admin-support.php builds its URLs as str_replace("v","","svitevguardvinvgv") → "siteguarding", producing livechat.siteguarding.com/chat.php and www.siteguarding.com/en/buy-service/security-package-premium?pgid=BYTEDEF and siteguarding.com/en/protect-your-website?pgid=BYTEDEF. The pgid=BYTEDEF product code ties the plugin to SiteGuarding's commercial funnel. The junk-char obfuscation ("v" insertion) is the same TTP as speedup-optimization ("j" insertion, audit #42).
Shape match to the original portfolio. "ByteDefense Security" is a security-scanner-branded plugin (core/scan.php, admin-geo.php, admin-database.php, livechat asset) — the same SaaS-security shape as the 2013-2020 @siteguarding antivirus portfolio (audit #27). This is the operator re-launching the security-scanner front under a fresh 2025 burner account.
Why the IOC scanner missed it. The domain is str_replace-obfuscated and the executable payload is in a .dat file, so neither the domain IOC nor the PHP-pattern IOCs matched.
Exposure. 0 active installs at closure — caught early.
Verdict
malicious
Attribution
SiteGuarding. Burner @lanechristian891 ("ByteDefense", joined 2025-03-22). Same junk-char obfuscation family as @charlycharm/speedup-optimization. WP.org stripped core/scan_sigs_db.dat at closure.
IOCs to extract
- kind: code_pattern, value: svitevguardvinvgv, confidence: high
- kind: filename, value: scan_sigs_db.dat, confidence: medium
- kind: changelog_phrase, value: pgid=BYTEDEF, confidence: medium
Cleanup
Delete any scan_sigs_db.dat and standalone scan.php under the plugin directory; block outbound to siteguarding.com, livechat.siteguarding.com. Follow the full SiteGuarding cleanup checklist.