Security is a major concern for WordPress site owners and rightly so: there are over 7.5 million cyber-attacks on WordPress sites every hour. Unsurprisingly, WordPress’ open-source nature and flexibility makes it vulnerable to a host of diverse attacks. But its core is quite secure as the WordPress team is dedicated to conserving the structural integrity of the application. The same, however, cannot be said for all WordPress themes and plugins.
A malware attack was recently discovered by John Castro of Sucuri. The malware places 10-12 lines of code at the top of vulnerable WordPress theme header.php files in order to redirect visitors to malicious sites.
This article will provide details of the attack; as well as tips to secure your site from such attacks in the future.
How the Malware Attack Works
As mentioned earlier, the malware places 10-12 lines of code at the top of the header.php file of an active WordPress theme. The code appears as follows:
The malware redirects visitors to default7 .com (not the final redirect destination) upon their first visit. It then sets the “896diC9OFnqeAcKGN7fW”cookie to track returning visitors for a year, and tests for search engine crawlers. If there are no crawlers, it proceeds to check the user agent header.
The redirects are random for everyone. Furthermore, default7 .com is only just the first redirect destination. Visitors are further redirected to the following domains (depending on the IP address and browser):
- test246 .com
- test0 .com
- distinctfestive .com
- ableoccassion .com
What is particularly interesting is the malware’s behavior on Internet Explorer. When the visitor uses Internet Explorer, they are redirected to a site that provides a malicious Flash or Java update.
Another interesting behavior occurs on Facebook. When you share an infected site link on Facebook, you may see the post snippet from another site – one of the five redirect sites. Facebook will still redirect people to the malicious site, even after you remove the malware from your site. This is because the cache is shared. You can reset the cache here.
You may be surprised to hear that this kind of infection is quite common when hackers get access to a WordPress admin interface. With the right credentials, they are able to (quite easily) edit a theme file.