Malware in Wordpress

How Does WordPress Malware Work?

This article explains in detail how a WordPress malware operates and what you can do to protect yourself.

How Does WordPress Malware Work? (Examples Included)

Among the open-source CMSs available today, WordPress is widely targeted by spammers around the globe. Be it the notorious pharma hack or the Japanese SEO spam, outdated WordPress sites are always a target.

The outdated core files and expired versions of WordPress plugins & themes result in an even more vulnerable WordPress site. Statistics show that 56% of all WordPress vulnerabilities sprout from exploitable plugins. Attackers leverage these vulnerabilities to gain access to your WordPress core files and exploit it.

Wordpress Malware Infection: Common Causes

There are several things that can go wrong when it comes to WordPress security. However, the four most common reasons behind WordPress malware infections are:

  1. Server Misconfigurations can allow attackers to inject malware into your WordPress site.
  2. Outdated WordPress core files may be vulnerable which can be leveraged by the hacker to inject malware.
  3. Buggy or outdated WordPress plugins & themes make for the most common cause of  WordPress malware infection.
  4. Using weak or default passwords can make your site vulnerable to brute force attacks.

WordPress Malware: Code Analysis

After footing from an outdated plugin or a theme, WordPress malware goes through the following process.

Once the site has been compromised, the malware fetches a malicious javascript named source.js from malicious domains like “dns[dot]createrelativechanging[dot]com”. This malicious javascript code contains a function called todo() which seems harmless at first.

But, the script, tries to secretly change the “siteurl” and “home” options for the logged-in users as shown in the code given below.

Pillar Blog WordPress malware campaign

The users who are not logged in, are then redirected to scam sites. These sites often contain fake captcha and are a part of a larger push notification scam. The captcha looks something like this.

Pillar Blog WordPress malware campaign

Once the unsuspecting user clicks on the “Allow” option. It triggers a call-to-action being clicked. Push notification was originally designed to send rich content messages to the user but the spammers exploit this feature to serve spam ads. These ads can render even after the user closes the website!

WordPress Malware: Obfuscation Techniques

To avoid detection of the notorious WordPress Malware, the hackers use some clever techniques to hide code. These are as follows:

Url Encoding + String.fromCharCode Obfuscation

To further clarify, let us look at one such malware infection example. This is an example of a malicious request made to inject WordPress malware. Here, the attacker has provided the “read-more-text” parameter with a malicious request hidden in the form of chars. The attacker has used URL encoding to avoid suspicion. So in URL encoding, comma becomes %2C, double quotes become %22 and so on. Thereafter, the fromCharCode() method of javascript converts the character into their codes respectively. i.e. The first few chars are (40,102,117,110,99,116,105,111,110,40,41,32,123,10), which translate to the following string: “function(){“. Therefore, using these techniques the Rich Reviews Plugin was hacked.

Pillar Blog WordPress malware campaign

Inline Scripts

The other method is to avoid putting the code between the <script></script> tags. Instead, attackers use the data URLs which allow embedding small files prefixed with “data:”. Using this technique, the javascript code is placed inline by the src parameter instead of between the script tag.

Pillar Blog WordPress malware campaign

CSS Injection

Some vulnerable plugins like the Blog Designer plugin allowed the attackers to inject code inside the <style>. The code used the same String.fromCharCode method to conceal the code. Moreover, the code contains random comments between the chars to avoid detection.

Pillar Blog WordPress malware campaign

HTML Entity Obfuscation

Another technique that the attackers have used to make code unreadable is to replace the characters with their respective HTML entities. This allows them to write a character in the following format:

&entity_name;

OR

&#entity_number;

This is a special feature of HTML intended to be used for special characters. For instance, the double quotation mark can be written as: 

&quot;

Or

&#34;

Moreover, what makes this obfuscation further strong is that HTML entities can be specified for any radix(i.e Decimal, Hexadecimal). For instance the string “function()” would be encoded into HTML entities as &#x66;&#x75;&#x6E;&#x63;&#x74;&#x69;&#x6F;&#x6E;&#x28;&#x29;&#xA;

In the code given below, the attacker has combined the inline method with the HTML entity method to obfuscate code. Characters are in hexadecimal form (entity number) whereas special chars like comma use entity name.

Pillar Blog WordPress malware campaign

WordPress Malware: Mitigation

The cheapest and the best way to protect yourself from this WordPress malware is to keep your core files, themes and plugins updated. Avoid using unknown plugins and themes.

Make sure to create strong passwords for your admin account, WordPress database, hosting, etc. Generally, a strong password is a mix of letters, numbers, and characters. Avoid using common phrases or proper words as passwords. You can also use a password generator such as Lastpass or keePass for secure passwords.

If you are infected with the push notification malware, you will notice frequent messages from the website even after closing it. This malware can be cleaned based on your browser. Simply Google for “remove browser push notifications <your browser>”. Thereafter, follow the steps and you are done!

Summing Up

Besides the common causes mentioned above, plenty of other things can also go wrong and lead to a WordPress malware infection. 

The best way to protect your WordPress site by indulging in recommended WordPress security practices. Most of these WordPress security recommendations could be achieved with this Free WP Hardening plugin. WP Hardening is a security tool that fixes 12+ security areas with just a click.

Moreover, investing in a premium security solution is the way to cover all security lapses that a manual process/free plugin might miss.