Security is a major concern for WordPress site owners and rightly so: there are over 7.5 million cyber-attacks on WordPress sites every hour. Unsurprisingly, WordPress’ open-source nature and flexibility makes it vulnerable to a host of diverse attacks. But its core is quite secure as the WordPress team is dedicated to conserving the structural integrity of the application. The same, however, cannot be said for all WordPress themes and plugins.
A malware attack was recently discovered by John Castro of Sucuri. The malware places 10-12 lines of code at the top of vulnerable WordPress theme header.php files in order to redirect visitors to malicious sites.
This article will provide details of the attack; as well as tips to secure your site from such attacks in the future.
How the Malware Attack Works
As mentioned earlier, the malware places 10-12 lines of code at the top of the header.php file of an active WordPress theme. The code appears as follows:
The malware redirects visitors to default7 .com (not the final redirect destination) upon their first visit. It then sets the “896diC9OFnqeAcKGN7fW”cookie to track returning visitors for a year, and tests for search engine crawlers. If there are no crawlers, it proceeds to check the user agent header.
The redirects are random for everyone. Furthermore, default7 .com is only just the first redirect destination. Visitors are further redirected to the following domains (depending on the IP address and browser):
- test246 .com
- test0 .com
- distinctfestive .com
- ableoccassion .com
What is particularly interesting is the malware’s behavior on Internet Explorer. When the visitor uses Internet Explorer, they are redirected to a site that provides a malicious Flash or Java update.
Another interesting behavior occurs on Facebook. When you share an infected site link on Facebook, you may see the post snippet from another site – one of the five redirect sites. Facebook will still redirect people to the malicious site, even after you remove the malware from your site. This is because the cache is shared. You can reset the cache here.
You may be surprised to hear that this kind of infection is quite common when hackers get access to a WordPress admin interface. With the right credentials, they are able to (quite easily) edit a theme file.
Which Sites Are Infected?
The recent exploit is actually not the only malware threat on infected sites. In a majority of cases, the infected sites had several security vulnerabilities resulting in a number of other infections. Just a minority of sites showed that the infection was only found in the theme’s header.php file.
How to Detect the Malware
The malware code is not without flaws. That is, it often tests for parameters that do not exist, which results in a PHP error. Since some servers have PHP notices turned off, the error is not always displayed; but a Google search of “Notice: Undefined index: 6FoNxbvo73BHOjhxokW3” may reveal the malware code on your server.
Sucuri shared that some Google search results could reveal errors in the theme footer file. That is because the malware previously infected footer.php files and placed a similar redirect code at the top of those files. The attack moved to header.php files and re-infected sites that had the malware code in their footer.php file. Even though the malware has been updated, the redirects send visitors to the exact same pages.
How to Remove Malware
Removing malware is a multi-step process that you may want to consult a WordPress expert on. If you’re not that experienced in security yourself, odds are you’ll only make things worse. Businesses specialized in WordPress such as our very own Semper Fi Web Design team can address all your security concerns.
But for now, let’s take a look at what you can do in general to protect your site from such attacks.
How to Keep Your WordPress Site Secure
Protect Your WordPress Admin Interface
Your WordPress admin panel is a goldmine for criminals. Therefore, you need to restrict access to it as much as possible: only those who need to access it should be able to. In any case, you should restrict everybody’s ability to make changes to your header.php file.
As we’ve seen with this recent redirect attack, hackers with admin credentials to your site can directly and easily make changes to your theme’s header.php file. You can effortlessly disable a user’s ability to edit PHP files in your admin interface by adjusting your wp-config.php file. Simply copy and paste the following code in your wp-config.php file:
# Disable Theme Editing define( 'DISALLOW_FILE_EDIT', true );
Other tips for keeping your admin interface secure:
- Use strong passwords
- Change all passwords periodically
- Limit the number of login attempts
- Check to make sure that no fake admin accounts have been created
- Do not use “admin” as your admin username
- Enable two-factor authentication
Update WordPress, Themes and Plugins to Latest Versions
It is critical to update WordPress and all of your themes and plugins to their latest versions. In addition to improved functionality, most updates are provided to address security concerns and vulnerabilities, so update to the latest versions as soon as they are available.
Make Sure Your Computer(s) Is Free of Viruses and Malware
Any precautionary measures you take to protect your site from malware would all be null and void if your computer contains any viruses or malware. That’s because a hacker could access your site’s login details from your computer and swiftly proceed to infect the site. Therefore, it’s important to install a good antivirus program on all computers you use to log into your WordPress site.
Most of us love WordPress for its flexibility, among many other reasons. Indeed, it is the most popular open-source Content Management System (CMS) out there. However, the reasons we love it so much are the very reasons that make it vulnerable to cyber-attacks. It’s important to be aware of that and take the necessary steps to protect your site.