WP Backdoor and wp_is_mobile()

Does anyone know of any CVEs that I need to know about that pertains to the WP backdoor log that I saw on my NinjaFirewall log?

04/Dec/22 00:17:38  #8906190  CRITICAL  1404  18X.19X.XX.XX    GET /index.php - WP backdoor - [SERVER:HTTP_USER_AGENT = wp_is_mobile] - [mydomainname.com]

At least my NinjaFirewall plugin blocked about more than 100 threats so far that relate to wp_is_mobile() function. I do not use wp_is_mobile() function in my theme. Plus, I only use my computer to manage my ClassicPress administration panel; however, I do use my smartphone to check for theming issues and that’s about it.

I have masked parts of the IP address and replaced my domain name with [mydomainname.com]. I get a lot of attempts from the same IP address. I cannot find a better place to ask a security question, so please fell free to move wherever it should be. Thanks.

Is this it?

1 Like

Hmm… I am not too sure if the article that I read is related to the wp_is_mobile backdoor vulnerability as I have my own custom theme and I do not have do not use use AccessPress plugins and themes. And since NinjaFirewall did block about 136 threats, I’m not too worried about it.

Update: Actually, I think it might have something to do with wp_is_mobile_fix. I checked the wp-includes/vars.php and nothing was altered, so I’m OK for now.

grep -r wp_is_mobile_fix *

Outputs nothing in /var/www.

Thank you for the article.

For those who came across my thread, here is the actual thread from someone who reported the same issue regarding WP Backdoor. If your ClassicPress site is up to date and you are using NinjaFirewall to protect your site, there is nothing to worry about.

wp_is_mobile() is a core WordPress function that looks at user-agents to discern if the visitor is using a large screen or mobile device - adding that description as a user agent to a bot is a simple way to make it look legitimate when the attack is anything but.

It seems like your security plugin captured it and logged it anyways so all good. There are millions of site on WordPress platforms so they are a continuous target and are being scanned all the time. Issues only arise when these scans find a vulnerability and your site is more actively targeted.

1 Like

Yeah, my firewall reported 284 threats so far, of which 95% are rated critical.

Thank you for the information about the wp_is_mobile. The best I can do is to keep ClassicPress, plugins, and my VPS server up to date so that I can become less of a target.