WP Beacon
Audit #46 Malicious Closed by wp.org
Show full summary
A SiteGuarding burner with an undisclosed wp-config.php persistence injection — Tier A. Surfaced by the closed-plugin blob scan, which matched safetybis.com in the trunk.
The persistence mechanism. Patch_WPconfig_file() (in code-quality-control-tool.php) **prepends <?php /* PHP Code Control A8E15CA27213-START */ if(file_exists("…/error_logger.php")) include_once("…/error_logger.php"); … ?> to wp-config.php, causing the bundled error_logger.php to load on every request, before WordPress boots and surviving plugin deactivation**. Injecting an include_once of a plugin-controlled file into wp-config.php without disclosure is the SiteGuarding persistence pattern (the wp-config-resident analogue of the siteguarding_tools.php drop). The integration block is marked A8E15CA27213 for later removal by the operator's tooling.
Remote-management surface. The plugin exposes admin functions to enumerate, toggle, and delete themes and plugins (ManageThemesPlugins, ManagePlugins, cqctphp_delete_plugin), and a download-file endpoint — a remote site-management console under a "code quality" cover. Its support link is https://www.safetybis.com/contact/?<site-url> (safetybis.com = confirmed SiteGuarding secondary C2, IOC #169/#153). The bundled images/livechat.png asset matches the SiteGuarding live-chat funnel seen in bytedefense (audit #44).
Why the IOC scanner missed it before. The persistence lives in a Patch_WPconfig_file() routine and a bundled error_logger.php, not in any obvious payload string; the C2 reference is a safetybis.com support URL. The plugin was already closed, so only the blob/closure hunt reached it.
Exposure. 0 installs at closure. Any site that activated it has an include_once(.../error_logger.php) line injected into wp-config.php that persists after the plugin is deleted.
Site owners should remediate immediately. Plugin author: see the steps below to clear this label.
If you run code-quality-control-tool on your site
Verify your install matches the wp.org canonical version:
wp plugin verify-checksums code-quality-control-toolA patched build isn't yet published for this audit. Check the security advisories index or remove the plugin until one is available.
Or remove the plugin entirely:
wp plugin deactivate code-quality-control-tool
wp plugin delete code-quality-control-toolPlugins under the same committer's SVN access
nickclarkweb holds push access to 1 plugin totalling 50 active installs.
IOCs extracted (3)
| Kind | Value | Confidence |
|---|---|---|
| code_pattern | A8E15CA27213 |
high |
| code_pattern | Patch_WPconfig_file |
medium |
| url | https://www.safetybis.com/contact/ |
medium |
Audit #46 — code-quality-control-tool
- Plugin: code-quality-control-tool ("Code Quality Control Tool")
- Active installs: 50+ (at closure — recovered via Wayback 2026-03-16 snapshot)
- Event: #3167
closed_blob_scan· high · clean-on-closure / blob-scan hunt 2026-06-15 - Suspect committer / account: nickclarkweb (joined 2021-10-22, empty profile — single plugin)
- First published: 2022-04-22 · last author commit: 2025-10-28 (v2.2)
- Closed on wordpress.org: 2026-04-07 (empty closed_reason)
Summary
A SiteGuarding burner with an undisclosed wp-config.php persistence injection — Tier A. Surfaced by the closed-plugin blob scan, which matched safetybis.com in the trunk.
The persistence mechanism. Patch_WPconfig_file() (in code-quality-control-tool.php) **prepends <?php /* PHP Code Control A8E15CA27213-START */ if(file_exists("…/error_logger.php")) include_once("…/error_logger.php"); … ?> to wp-config.php, causing the bundled error_logger.php to load on every request, before WordPress boots and surviving plugin deactivation**. Injecting an include_once of a plugin-controlled file into wp-config.php without disclosure is the SiteGuarding persistence pattern (the wp-config-resident analogue of the siteguarding_tools.php drop). The integration block is marked A8E15CA27213 for later removal by the operator's tooling.
Remote-management surface. The plugin exposes admin functions to enumerate, toggle, and delete themes and plugins (ManageThemesPlugins, ManagePlugins, cqctphp_delete_plugin), and a download-file endpoint — a remote site-management console under a "code quality" cover. Its support link is https://www.safetybis.com/contact/?<site-url> (safetybis.com = confirmed SiteGuarding secondary C2, IOC #169/#153). The bundled images/livechat.png asset matches the SiteGuarding live-chat funnel seen in bytedefense (audit #44).
Why the IOC scanner missed it before. The persistence lives in a Patch_WPconfig_file() routine and a bundled error_logger.php, not in any obvious payload string; the C2 reference is a safetybis.com support URL. The plugin was already closed, so only the blob/closure hunt reached it.
Exposure. 0 installs at closure. Any site that activated it has an include_once(.../error_logger.php) line injected into wp-config.php that persists after the plugin is deleted.
Verdict
malicious
Attribution
SiteGuarding. Burner @nickclarkweb (single plugin, empty profile). Uses safetybis.com C2 + the livechat.png funnel asset + undisclosed wp-config.php persistence injection. Same operator family as bytedefense (#44) and the rest of the fleet.
IOCs to extract
- kind: code_pattern, value: A8E15CA27213, confidence: high
- kind: code_pattern, value: Patch_WPconfig_file, confidence: medium
- kind: url, value: https://www.safetybis.com/contact/, confidence: medium
Cleanup
If a site ever ran this plugin: (1) open wp-config.php and delete the /* PHP Code Control A8E15CA27213 / … include_once(...) / line at the top; (2) delete the code-quality-control-tool plugin directory (incl. error_logger.php); (3) block outbound to safetybis.com, siteguarding.com; (4) audit admin users and rotate credentials, since the operator had a persistent pre-WordPress include and remote theme/plugin management. See the full SiteGuarding cleanup checklist (audit #27 writeup).