WordPress Hack Redirects Visitors to Malicious Sites

There are 19 comments, join the conversation

WordPress most recent hack redirects users to default7.com.

Which Sites Are Infected?

The recent exploit is actually not the only malware threat on infected sites. In a majority of cases, the infected sites had several security vulnerabilities resulting in a number of other infections. Just a minority of sites showed that the infection was only found in the theme’s header.php file.

How to Detect the Malware

The malware code is not without flaws. That is, it often tests for parameters that do not exist, which results in a PHP error. Since some servers have PHP notices turned off, the error is not always displayed; but a Google search of “Notice: Undefined index: 6FoNxbvo73BHOjhxokW3” may reveal the malware code on your server.

Sucuri shared that some Google search results could reveal errors in the theme footer file. That is because the malware previously infected footer.php files and placed a similar redirect code at the top of those files. The attack moved to header.php files and re-infected sites that had the malware code in their footer.php file. Even though the malware has been updated, the redirects send visitors to the exact same pages.

How to Remove Malware

Removing malware is a multi-step process that you may want to consult a WordPress expert on. If you’re not that experienced in security yourself, odds are you’ll only make things worse. Businesses specialized in WordPress such as our very own Semper Fi Web Design team can address all your security concerns.

But for now, let’s take a look at what you can do in general to protect your site from such attacks.

Arnaud, a foodie from Bruges, Belgium, is the editor for the Semper Plugins blog. He also manages the translation teams for All in One SEO Pack (over 58 languages!).

19 comments on “WordPress Hack Redirects Visitors to Malicious Sites
  1. Tracy says:

    Wow, 7.5 million every hour, that is disturbing, interesting post Arnaud, thanks for the warning 🙂 Cheers Tracy

  2. Mike says:

    Helpful article. Thanks a lot.
    What is their initial attack vector? Is it simply gaining admin login access?

    I’m wondering if there is a modsecurity rule that can be created to help prevent this?

    A smart and well-configured modsecurity rule set is a true nightmare for hackers. 😀
    Through some clever rules I’ve written…if I do say so myself 😉 the hacker hits on my WP sites have dropped significantly over the past year.
    Thanks again.

    • Arnaud Broes says:

      Hi Mike

      First of all, thanks for leaving a comment.
      The aim of the hackers is to implement about 12 lines of code so visitors are redirected to other (possibly malicious) sites.

      This, however, is only possible when they have already have gained access to a WordPress login that is able to edit the PHP files of the theme.

      You can address this issue by disabling user permissions to edit PHP files via wp-admin. Implement the following code snippet in the wp-config.php file to disable this feature:

      # Disable Theme Editing
      define( ‘DISALLOW_FILE_EDIT’, true );

      More importantly, you have to secure your WordPress credentials.
      If you ever get hit by an attack, it’s important to change all of your passwords, check if any files were adjusted and scan for rogue admin accounts if you have multiple administrators.

      Just a few more tips to secure your WordPress login:

      – Change “admin” username to something less identifiable
      – Change the login page URL from the default wp-login-php
      – Create complex passwords
      – Limit the number of login attempts in a given time period

      Cheers

      Arnaud

  3. Diana L. Faulkner says:

    Arnaud,

    Thank you for the valuable information. I appreciate that you provided a workaround and tips in your response to Mike. This is valuable information to me.

    Happy Day! =)

  4. Norman Grant says:

    So you’re saying they would have to gain access by password, is that correct? No other way to enter. They can’t skip the password step?

    • Arnaud Broes says:

      It’s most common, but there are also other methods to gain access to your site’s files. FTP is a great example.

  5. Valente says:

    Which security plugin would you recommend and will not cause a conflict with All in One SEO Pack?

    • Arnaud Broes says:

      WordFence is a great one and has no compatibility issues with All in One SEO Pack.
      We also highly recommend iTheme Security.

  6. Kevin Ashwe says:

    Mmmn! Quite helpful. I narrowly escaped an attack last week.

  7. Shariar sameer says:

    Thanks for useful post! I think we must careful about using nulled or free themes or plugins.

  8. Annoyed says:

    Found this post because there is a script that is being injected in the header.php of every site on the server account. Every few days I have to check header.php and remove the block of text above , usually with a ton of spaces above it. It’s unbearable! If the script isn’t removed, Google and other security scanners black list the site for a few days until it’s removed and ask Google to rescan the site. It’s messing with rankings bad!

    So far:
    1. Deleted all WP core files and reuploaded newest version core files.
    2. Deleted unused plugins.
    3. Checked every /uploads directory for .php files (since there should only be images).
    4. Changed admin username.
    5. Changed passwords.
    6. Removed spam users.
    7. Changed FTP password.
    8. Installed Sucuri plugin and hardened everything, installed Wordfence, installed Bad Behavior.

    Non of the security plugins are blocking this and none of them are even alerting that the header.php was modified. IT’S STILL HAPPENING ON A WEEKLY BASIS.

    Questions:
    1. How are they able to inject this script into every site on the hosting account at the same time, even if those sites don’t use the same plugins etc? This is the most frustrating and annoying thing because all of the sites need to have the script removed and all of the sites get blacklisted from Google, etc.
    2. If they are able to get into your files and paste this script in the header.php and they realize you keep removing it, what’s stopping them from just messing with all the files or deleting stuff?

    • Arnaud Broes says:

      To answer your questions:
      1. I’m not really certain that you are facing the same issue that is described in this article. In any case, if you articles keep being injected with code, you’re probably facing an infection of a malicious script on your webserver. You may want to backup all of your sites and clean them up one by one and do a full wipe of your server before restoring your sites again.
      2. There’s nothing stopping them, but there are no gains for most hackers to completely destroy or infect a site. They still want people to visit and make use of the functionality/information on your site.

  9. Emenike Emmanuel says:

    Hi Arnaud,

    Thanks for sharing. Could this be the reason why I’m getting too many spam comments?

    • Arnaud Broes says:

      No, spam comments are just bots or bloggers trying to increase their SEO by creating backlinks from other websites to theirs.
      This is a method that generally does not work because search engines see through this deception and can check the quality of backlinks.
      If you are using WordPress, I recommend that you install a plugin like Akismet to filter valid and invalid comments.

  10. سيو says:

    It’s hard to find experienced people for this topic,
    but you seem like you know what you’re talking about! Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Skip to toolbar