A 13-year WordPress supply-chain operation under the SiteGuarding brand (legal entity SafetyBis Limited, Cyprus, dissolved 2016 — operation continued anyway). Started as a 27-plugin overt portfolio under @siteguarding (closed by wp.org in 2020 for guideline violations); pivoted to anonymous burner accounts (@lulub5592, @dalielsam) that wp.org closed in April 2026. Same backdoor codebase across all three phases — currently shipping siteguarding_tools.php v2.4 from a still-live C2.
Audits in this campaign
Malicious Closed by wp.org
Audit #25
WP Advanced Math Captcha
— 6k+ installs
Two distinct supply-chain attack chains in a single 6,000-install plugin, both operated by SiteGuarding (siteguarding.com) through two anonymous wp.org committer accounts. wp.org Plugin Review Team (PRT, plugin-master) closed the plugin on…
Malicious Closed by wp.org
Audit #26
Web Image Optimization X
— 100 installs
Attacker-controlled side-channel update endpoint shipped under the cover of "license validation" — same operator (SiteGuarding) and same sibling-plugin pair as audit #25 (wp-advanced-math-captcha). Where the wp-advanced-math-captcha audit …
Malicious Closed by wp.org
Audit #28
WP Antivirus Site Protection (by SiteGuarding.com)
— 4k+ installs
SiteGuarding 27-plugin portfolio (2013-2020) — 15 plugins shipped siteguarding_tools.php v1.7 RCE backdoor INLINE in the plugin folder; 12 sibling plugins shipped phone-home guideline violations. wp.org closed all 27 in May-June 2020. Oper…
Malicious Closed by wp.org
Audit #42
Speedup Optimization
— 100 installs
A previously-undocumented SiteGuarding burner, surfaced by the clean-on-closure hunt and closed in the same 2026-04-07 wave that took down the two documented burners. The backdoor. speedup-optimization.php defines speedup01_CopyTools(), wh…
Malicious Closed by wp.org
Audit #43
WP Install From Web
— 100 installs
This is a previously-undocumented SiteGuarding supply-chain backdoor burner. It was surfaced by hunting for plugins that WP.org cleaned on closure — i.e. where a Plugin Review Team account force-pushed a code change at the moment of closur…
Malicious Closed by wp.org
Audit #44
ByteDefense Security
A SiteGuarding security-branded front, surfaced by the clean-on-closure hunt. Unlike the documented closures that left malware in trunk, WP.org's plugin-master force-pushed a "Removing" commit at closure that stripped the payload file core…
Malicious Closed by wp.org
Audit #45
WP Google Core Web Vitals Fix
A SiteGuarding burner with a full remote-code-execution + persistence backdoor — Tier A. Surfaced by the closed-plugin blob scan (the new payload-decode scanner), which matched cmsplughub.com in the trunk that the old PHP-only IOC grep had…
Malicious Closed by wp.org
Audit #46
Code Quality Control Tool
A SiteGuarding burner with an undisclosed wp-config.php persistence injection — Tier A. Surfaced by the closed-plugin blob scan, which matched safetybis.com in the trunk. The persistence mechanism. Patch_WPconfig_file() (in code-quality-co…
Malicious Closed by wp.org
Audit #47
Magex AI Bot Defender
A SiteGuarding burner that routes through the safetybis.com C2 — Tier B (undisclosed phone-home / proxy, no in-plugin RCE sink). Surfaced by the closed-plugin blob scan via siteguarding.com + safetybis.com references in includes/class-site…
Malicious Closed by wp.org
Audit #48
SEO Pack
Verdict: malicious — a previously-undocumented 2024 wave of nine SiteGuarding supply-chain burner plugins, each on its own throwaway wp.org account. This is a distinct third operational phase of the SiteGuarding operation, sitting between …