WordPress Hack Redirects Visitors to Malicious Sites

There are 21 comments, join the conversation

Security is a major concern for WordPress site owners and rightly so: there are over 7.5 million cyber-attacks on WordPress sites every hour. Unsurprisingly, WordPress’ open-source nature and flexibility makes it vulnerable to a host of diverse attacks. But its core is quite secure as the WordPress team is dedicated to conserving the structural integrity of the application. The same, however, cannot be said for all WordPress themes and plugins.

A malware attack was recently discovered by John Castro of Sucuri. The malware places 10-12 lines of code at the top of vulnerable WordPress theme header.php files in order to redirect visitors to malicious sites.

This article will provide details of the attack; as well as tips to secure your site from such attacks in the future.

How the Malware Attack Works

As mentioned earlier, the malware places 10-12 lines of code at the top of the header.php file of an active WordPress theme. The code appears as follows:

Malware injection in header.php file

The malware redirects visitors to default7 .com (not the final redirect destination) upon their first visit. It then sets the “896diC9OFnqeAcKGN7fW”cookie to track returning visitors for a year, and tests for search engine crawlers. If there are no crawlers, it proceeds to check the user agent header.

The redirects are random for everyone. Furthermore, default7 .com is only just the first redirect destination. Visitors are further redirected to the following domains (depending on the IP address and browser):

  • test246 .com
  • test0 .com
  • distinctfestive .com
  • ableoccassion .com

What is particularly interesting is the malware’s behavior on Internet Explorer. When the visitor uses Internet Explorer, they are redirected to a site that provides a malicious Flash or Java update.

Fake Adobe Flash update

Another interesting behavior occurs on Facebook. When you share an infected site link on Facebook, you may see the post snippet from another site – one of the five redirect sites. Facebook will still redirect people to the malicious site, even after you remove the malware from your site. This is because the cache is shared. You can reset the cache here.

You may be surprised to hear that this kind of infection is quite common when hackers get access to a WordPress admin interface. With the right credentials, they are able to (quite easily) edit a theme file.

Arnaud, a foodie from Bruges, Belgium, is the editor for the Semper Plugins blog. He also manages the translation teams for All in One SEO Pack (over 58 languages!).

21 comments on “WordPress Hack Redirects Visitors to Malicious Sites
  1. Tracy says:

    Wow, 7.5 million every hour, that is disturbing, interesting post Arnaud, thanks for the warning 🙂 Cheers Tracy

  2. Mike says:

    Helpful article. Thanks a lot.
    What is their initial attack vector? Is it simply gaining admin login access?

    I’m wondering if there is a modsecurity rule that can be created to help prevent this?

    A smart and well-configured modsecurity rule set is a true nightmare for hackers. 😀
    Through some clever rules I’ve written…if I do say so myself 😉 the hacker hits on my WP sites have dropped significantly over the past year.
    Thanks again.

    • Arnaud Broes says:

      Hi Mike

      First of all, thanks for leaving a comment.
      The aim of the hackers is to implement about 12 lines of code so visitors are redirected to other (possibly malicious) sites.

      This, however, is only possible when they have already have gained access to a WordPress login that is able to edit the PHP files of the theme.

      You can address this issue by disabling user permissions to edit PHP files via wp-admin. Implement the following code snippet in the wp-config.php file to disable this feature:

      # Disable Theme Editing
      define( ‘DISALLOW_FILE_EDIT’, true );

      More importantly, you have to secure your WordPress credentials.
      If you ever get hit by an attack, it’s important to change all of your passwords, check if any files were adjusted and scan for rogue admin accounts if you have multiple administrators.

      Just a few more tips to secure your WordPress login:

      – Change “admin” username to something less identifiable
      – Change the login page URL from the default wp-login-php
      – Create complex passwords
      – Limit the number of login attempts in a given time period

      Cheers

      Arnaud

  3. Diana L. Faulkner says:

    Arnaud,

    Thank you for the valuable information. I appreciate that you provided a workaround and tips in your response to Mike. This is valuable information to me.

    Happy Day! =)

  4. Norman Grant says:

    So you’re saying they would have to gain access by password, is that correct? No other way to enter. They can’t skip the password step?

    • Arnaud Broes says:

      It’s most common, but there are also other methods to gain access to your site’s files. FTP is a great example.

  5. Valente says:

    Which security plugin would you recommend and will not cause a conflict with All in One SEO Pack?

    • Arnaud Broes says:

      WordFence is a great one and has no compatibility issues with All in One SEO Pack.
      We also highly recommend iTheme Security.

  6. Kevin Ashwe says:

    Mmmn! Quite helpful. I narrowly escaped an attack last week.

  7. Shariar sameer says:

    Thanks for useful post! I think we must careful about using nulled or free themes or plugins.

  8. Annoyed says:

    Found this post because there is a script that is being injected in the header.php of every site on the server account. Every few days I have to check header.php and remove the block of text above , usually with a ton of spaces above it. It’s unbearable! If the script isn’t removed, Google and other security scanners black list the site for a few days until it’s removed and ask Google to rescan the site. It’s messing with rankings bad!

    So far:
    1. Deleted all WP core files and reuploaded newest version core files.
    2. Deleted unused plugins.
    3. Checked every /uploads directory for .php files (since there should only be images).
    4. Changed admin username.
    5. Changed passwords.
    6. Removed spam users.
    7. Changed FTP password.
    8. Installed Sucuri plugin and hardened everything, installed Wordfence, installed Bad Behavior.

    Non of the security plugins are blocking this and none of them are even alerting that the header.php was modified. IT’S STILL HAPPENING ON A WEEKLY BASIS.

    Questions:
    1. How are they able to inject this script into every site on the hosting account at the same time, even if those sites don’t use the same plugins etc? This is the most frustrating and annoying thing because all of the sites need to have the script removed and all of the sites get blacklisted from Google, etc.
    2. If they are able to get into your files and paste this script in the header.php and they realize you keep removing it, what’s stopping them from just messing with all the files or deleting stuff?

    • Arnaud Broes says:

      To answer your questions:
      1. I’m not really certain that you are facing the same issue that is described in this article. In any case, if you articles keep being injected with code, you’re probably facing an infection of a malicious script on your webserver. You may want to backup all of your sites and clean them up one by one and do a full wipe of your server before restoring your sites again.
      2. There’s nothing stopping them, but there are no gains for most hackers to completely destroy or infect a site. They still want people to visit and make use of the functionality/information on your site.

  9. Emenike Emmanuel says:

    Hi Arnaud,

    Thanks for sharing. Could this be the reason why I’m getting too many spam comments?

    • Arnaud Broes says:

      No, spam comments are just bots or bloggers trying to increase their SEO by creating backlinks from other websites to theirs.
      This is a method that generally does not work because search engines see through this deception and can check the quality of backlinks.
      If you are using WordPress, I recommend that you install a plugin like Akismet to filter valid and invalid comments.

  10. سيو says:

    It’s hard to find experienced people for this topic,
    but you seem like you know what you’re talking about! Thanks

  11. Dennis says:

    Hi, my website was hacked some month ago and we have cleaned it totally, but when ik set an add in Facebook with link to my website, it redirects the first time to a malicious website. I heard from someone that this redirection is always 1 time per IP. Should there still be infected files that creates this redirection?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Skip to toolbar