Security is a major concern for WordPress site owners and rightly so: there are over 7.5 million cyber-attacks on WordPress sites every hour. Unsurprisingly, WordPress’ open-source nature and flexibility makes it vulnerable to a host of diverse attacks. But its core is quite secure as the WordPress team is dedicated to conserving the structural integrity of the application. The same, however, cannot be said for all WordPress themes and plugins.
A malware attack was recently discovered by John Castro of Sucuri. The malware places 10-12 lines of code at the top of vulnerable WordPress theme header.php files in order to redirect visitors to malicious sites.
This article will provide details of the attack; as well as tips to secure your site from such attacks in the future.
How the Malware Attack Works
As mentioned earlier, the malware places 10-12 lines of code at the top of the header.php file of an active WordPress theme. The code appears as follows:
The malware redirects visitors to default7 .com (not the final redirect destination) upon their first visit. It then sets the “896diC9OFnqeAcKGN7fW”cookie to track returning visitors for a year, and tests for search engine crawlers. If there are no crawlers, it proceeds to check the user agent header.
The redirects are random for everyone. Furthermore, default7 .com is only just the first redirect destination. Visitors are further redirected to the following domains (depending on the IP address and browser):
- test246 .com
- test0 .com
- distinctfestive .com
- ableoccassion .com
What is particularly interesting is the malware’s behavior on Internet Explorer. When the visitor uses Internet Explorer, they are redirected to a site that provides a malicious Flash or Java update.
Another interesting behavior occurs on Facebook. When you share an infected site link on Facebook, you may see the post snippet from another site – one of the five redirect sites. Facebook will still redirect people to the malicious site, even after you remove the malware from your site. This is because the cache is shared. You can reset the cache here.
You may be surprised to hear that this kind of infection is quite common when hackers get access to a WordPress admin interface. With the right credentials, they are able to (quite easily) edit a theme file.
Which Sites Are Infected?
The recent exploit is actually not the only malware threat on infected sites. In a majority of cases, the infected sites had several security vulnerabilities resulting in a number of other infections. Just a minority of sites showed that the infection was only found in the theme’s header.php file.
How to Detect the Malware
The malware code is not without flaws. That is, it often tests for parameters that do not exist, which results in a PHP error. Since some servers have PHP notices turned off, the error is not always displayed; but a Google search of “Notice: Undefined index: 6FoNxbvo73BHOjhxokW3” may reveal the malware code on your server.
Sucuri shared that some Google search results could reveal errors in the theme footer file. That is because the malware previously infected footer.php files and placed a similar redirect code at the top of those files. The attack moved to header.php files and re-infected sites that had the malware code in their footer.php file. Even though the malware has been updated, the redirects send visitors to the exact same pages.
How to Remove Malware
Removing malware is a multi-step process that you may want to consult a WordPress expert on. If you're not that experienced in security yourself, odds are you'll only make things worse. Businesses specialized in WordPress such as our very own Semper Fi Web Design team can address all your security concerns.
But for now, let’s take a look at what you can do in general to protect your site from such attacks.
How to Keep Your WordPress Site Secure
Protect Your WordPress Admin Interface
Your WordPress admin panel is a goldmine for criminals. Therefore, you need to restrict access to it as much as possible: only those who need to access it should be able to. In any case, you should restrict everybody’s ability to make changes to your header.php file.
As we’ve seen with this recent redirect attack, hackers with admin credentials to your site can directly and easily make changes to your theme’s header.php file. You can effortlessly disable a user’s ability to edit PHP files in your admin interface by adjusting your wp-config.php file. Simply copy and paste the following code in your wp-config.php file:
# Disable Theme Editing define( 'DISALLOW_FILE_EDIT', true );
Other tips for keeping your admin interface secure:
- Use strong passwords
- Change all passwords periodically
- Limit the number of login attempts
- Check to make sure that no fake admin accounts have been created
- Do not use “admin” as your admin username
- Enable two-factor authentication
Update WordPress, Themes and Plugins to Latest Versions
It is critical to update WordPress and all of your themes and plugins to their latest versions. In addition to improved functionality, most updates are provided to address security concerns and vulnerabilities, so update to the latest versions as soon as they are available.
Make Sure Your Computer(s) Is Free of Viruses and Malware
Any precautionary measures you take to protect your site from malware would all be null and void if your computer contains any viruses or malware. That’s because a hacker could access your site’s login details from your computer and swiftly proceed to infect the site. Therefore, it’s important to install a good antivirus program on all computers you use to log into your WordPress site.
Most of us love WordPress for its flexibility, among many other reasons. Indeed, it is the most popular open-source Content Management System (CMS) out there. However, the reasons we love it so much are the very reasons that make it vulnerable to cyber-attacks. It’s important to be aware of that and take the necessary steps to protect your site.
Wow, 7.5 million every hour, that is disturbing, interesting post Arnaud, thanks for the warning 🙂 Cheers Tracy
An absolute pleasure, Tracy. Thanks for the feedback!
Helpful article. Thanks a lot.
What is their initial attack vector? Is it simply gaining admin login access?
I’m wondering if there is a modsecurity rule that can be created to help prevent this?
A smart and well-configured modsecurity rule set is a true nightmare for hackers. 😀
Through some clever rules I’ve written…if I do say so myself 😉 the hacker hits on my WP sites have dropped significantly over the past year.
Thanks again.
Hi Mike
First of all, thanks for leaving a comment.
The aim of the hackers is to implement about 12 lines of code so visitors are redirected to other (possibly malicious) sites.
This, however, is only possible when they have already have gained access to a WordPress login that is able to edit the PHP files of the theme.
You can address this issue by disabling user permissions to edit PHP files via wp-admin. Implement the following code snippet in the wp-config.php file to disable this feature:
# Disable Theme Editing
define( ‘DISALLOW_FILE_EDIT’, true );
More importantly, you have to secure your WordPress credentials.
If you ever get hit by an attack, it’s important to change all of your passwords, check if any files were adjusted and scan for rogue admin accounts if you have multiple administrators.
Just a few more tips to secure your WordPress login:
– Change “admin” username to something less identifiable
– Change the login page URL from the default wp-login-php
– Create complex passwords
– Limit the number of login attempts in a given time period
Cheers
Arnaud
Change your FTP passwords too in case the attacker got access this way.
Great tip!
Arnaud,
Thank you for the valuable information. I appreciate that you provided a workaround and tips in your response to Mike. This is valuable information to me.
Happy Day! =)
You’re welcome Diana!
So you’re saying they would have to gain access by password, is that correct? No other way to enter. They can’t skip the password step?
It’s most common, but there are also other methods to gain access to your site’s files. FTP is a great example.
Which security plugin would you recommend and will not cause a conflict with All in One SEO Pack?
WordFence is a great one and has no compatibility issues with All in One SEO Pack.
We also highly recommend iTheme Security.
Mmmn! Quite helpful. I narrowly escaped an attack last week.
Thanks for useful post! I think we must careful about using nulled or free themes or plugins.
Found this post because there is a script that is being injected in the header.php of every site on the server account. Every few days I have to check header.php and remove the block of text above , usually with a ton of spaces above it. It’s unbearable! If the script isn’t removed, Google and other security scanners black list the site for a few days until it’s removed and ask Google to rescan the site. It’s messing with rankings bad!
So far:
1. Deleted all WP core files and reuploaded newest version core files.
2. Deleted unused plugins.
3. Checked every /uploads directory for .php files (since there should only be images).
4. Changed admin username.
5. Changed passwords.
6. Removed spam users.
7. Changed FTP password.
8. Installed Sucuri plugin and hardened everything, installed Wordfence, installed Bad Behavior.
Non of the security plugins are blocking this and none of them are even alerting that the header.php was modified. IT’S STILL HAPPENING ON A WEEKLY BASIS.
Questions:
1. How are they able to inject this script into every site on the hosting account at the same time, even if those sites don’t use the same plugins etc? This is the most frustrating and annoying thing because all of the sites need to have the script removed and all of the sites get blacklisted from Google, etc.
2. If they are able to get into your files and paste this script in the header.php and they realize you keep removing it, what’s stopping them from just messing with all the files or deleting stuff?
To answer your questions:
1. I’m not really certain that you are facing the same issue that is described in this article. In any case, if you articles keep being injected with code, you’re probably facing an infection of a malicious script on your webserver. You may want to backup all of your sites and clean them up one by one and do a full wipe of your server before restoring your sites again.
2. There’s nothing stopping them, but there are no gains for most hackers to completely destroy or infect a site. They still want people to visit and make use of the functionality/information on your site.
Hi Arnaud,
Thanks for sharing. Could this be the reason why I’m getting too many spam comments?
No, spam comments are just bots or bloggers trying to increase their SEO by creating backlinks from other websites to theirs.
This is a method that generally does not work because search engines see through this deception and can check the quality of backlinks.
If you are using WordPress, I recommend that you install a plugin like Akismet to filter valid and invalid comments.
It’s hard to find experienced people for this topic,
but you seem like you know what you’re talking about! Thanks
Hi, my website was hacked some month ago and we have cleaned it totally, but when ik set an add in Facebook with link to my website, it redirects the first time to a malicious website. I heard from someone that this redirection is always 1 time per IP. Should there still be infected files that creates this redirection?
Yes, it sounds like your site is still infected with malware. We provide a malware cleanup service, you can contact us here for information – https://aioseo.com/contact/
Great explanation.