← All audits

Campaign

SiteGuarding — 2013–present

10 linked audits · 77 IOCs catalogued · 10k+ headline-plugin installs · first seen 2026-05-02 · last activity 2026-06-15

A 13-year WordPress supply-chain operation under the SiteGuarding brand (legal entity SafetyBis Limited, Cyprus, dissolved 2016 — operation continued anyway). Started as a 27-plugin overt portfolio under @siteguarding (closed by wp.org in 2020 for guideline violations); pivoted to anonymous burner accounts (@lulub5592, @dalielsam) that wp.org closed in April 2026. Same backdoor codebase across all three phases — currently shipping siteguarding_tools.php v2.4 from a still-live C2.

Audits in this campaign

Malicious Closed by wp.org

Audit #25 WP Advanced Math Captcha — 6k+ installs

Two distinct supply-chain attack chains in a single 6,000-install plugin, both operated by SiteGuarding (siteguarding.com) through two anonymous wp.org committer accounts. wp.org Plugin Review Team (PRT, plugin-master) closed the plugin on…

baseline 2.1.8 → head 2.1.9.1 2mo ago
Malicious Closed by wp.org

Audit #26 Web Image Optimization X — 100 installs

Attacker-controlled side-channel update endpoint shipped under the cover of "license validation" — same operator (SiteGuarding) and same sibling-plugin pair as audit #25 (wp-advanced-math-captcha). Where the wp-advanced-math-captcha audit …

baseline 1.0.8 → head 1.4.0 2mo ago
Malicious Closed by wp.org

Audit #28 WP Antivirus Site Protection (by SiteGuarding.com) — 4k+ installs

SiteGuarding 27-plugin portfolio (2013-2020) — 15 plugins shipped siteguarding_tools.php v1.7 RCE backdoor INLINE in the plugin folder; 12 sibling plugins shipped phone-home guideline violations. wp.org closed all 27 in May-June 2020. Oper…

baseline 1.2 → head 7.5.4 2mo ago
Malicious Closed by wp.org

Audit #42 Speedup Optimization — 100 installs

A previously-undocumented SiteGuarding burner, surfaced by the clean-on-closure hunt and closed in the same 2026-04-07 wave that took down the two documented burners. The backdoor. speedup-optimization.php defines speedup01_CopyTools(), wh…

baseline → head 1.2.1 19d ago
Malicious Closed by wp.org

Audit #43 WP Install From Web — 100 installs

This is a previously-undocumented SiteGuarding supply-chain backdoor burner. It was surfaced by hunting for plugins that WP.org cleaned on closure — i.e. where a Plugin Review Team account force-pushed a code change at the moment of closur…

baseline → head 1.10.1 19d ago
Malicious Closed by wp.org

Audit #44 ByteDefense Security

A SiteGuarding security-branded front, surfaced by the clean-on-closure hunt. Unlike the documented closures that left malware in trunk, WP.org's plugin-master force-pushed a "Removing" commit at closure that stripped the payload file core…

baseline → head 2.1 19d ago
Malicious Closed by wp.org

Audit #45 WP Google Core Web Vitals Fix

A SiteGuarding burner with a full remote-code-execution + persistence backdoor — Tier A. Surfaced by the closed-plugin blob scan (the new payload-decode scanner), which matched cmsplughub.com in the trunk that the old PHP-only IOC grep had…

baseline → head 1.0.4 18d ago
Malicious Closed by wp.org

Audit #46 Code Quality Control Tool

A SiteGuarding burner with an undisclosed wp-config.php persistence injection — Tier A. Surfaced by the closed-plugin blob scan, which matched safetybis.com in the trunk. The persistence mechanism. Patch_WPconfig_file() (in code-quality-co…

baseline → head 2.1 18d ago
Malicious Closed by wp.org

Audit #47 Magex AI Bot Defender

A SiteGuarding burner that routes through the safetybis.com C2 — Tier B (undisclosed phone-home / proxy, no in-plugin RCE sink). Surfaced by the closed-plugin blob scan via siteguarding.com + safetybis.com references in includes/class-site…

baseline → head 1.5.8 18d ago
Malicious Closed by wp.org

Audit #48 SEO Pack

Verdict: malicious — a previously-undocumented 2024 wave of nine SiteGuarding supply-chain burner plugins, each on its own throwaway wp.org account. This is a distinct third operational phase of the SiteGuarding operation, sitting between …

baseline → head (suite — 9 plugins) 18d ago