This plugin is closed on wordpress.org.
Closed 2026-06-18.
Temporary closure — pending a full review by wp.org.
Active installs
3k+
Current version
2.1.3
Added
2020-06-30
Last updated
—
First seen by beacon
2mo ago
Total downloads
—
Statistics
2024-06-17 → 2026-07-01 · 745 days
Active-install and ratings figures are the last values WP Beacon captured before wordpress.org closed this plugin — wp.org no longer publishes them. Daily downloads are still updated.
plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
"slug": "spider-analyser",
"pattern": "hardcoded_ip_url",
"kind": "builtin",
"version": "2.1.3",
"hit_count": 3,
"first_hit": {
"file": "spider_info.php",
"line": 8889,
"snippet": "'bot_url' => 'http://195.37.190.77/',"
},
"explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}
SVN committers (2)
Accounts with actual commit access to spider-analyser on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.
Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?