Approximately 30% of Internet websites are running on WordPress, making it the world’s most popular content management system. Unfortunately, the incredible level of popularity enjoyed by WordPress has a significant downside — it makes the platform very attractive to hackers.
One common attack vector used against WordPress websites involves compromising files to cause the website to automatically redirect users to another location. This kind of attack is called a Malicious Redirection. There are multiple ways to perpetrate malicious redirects in WordPress, including using a plugin, theme or server-side intrusion. This article will explain how this kind of attack works and will offer some tips for addressing it.
How does a malicious redirection work?
A hacker will employ a malicious redirection to redirect the visitors to your website to another location. Once they have been redirected, your visitors may be exposed to malware, advertising spam, or phishing attacks.
To perform a malicious redirection attack, the hacker must alter some of your WordPress website files. To be able to do so, they usually rely on the following techniques:
- Gaining access to your server, then updating or creating a file with a malicious redirects.
- Getting you to install a rogue plugin that adds malicious code.
- Getting you to install a rogue theme that adds malicious code.
What kinds of techniques are used to add malicious redirects?
There have been many types of malicious redirect techniques used on WordPress websites. The most common include:
1) Modifying the .htaccess website
Every WordPress website has a .htaccess file located in the folder where WordPress was installed. WordPress uses this file to change how the web server deals with files. It is also used to create the pretty permalinks used by WordPress. Hackers who gain access to your server can alter this file to add a malicious redirect. Redirect would send all visitors to another website.
Hackers might also add additional .htaccess files containing a malicious redirect in other locations like /wp-content or /wp-includes.
2) Modifying WordPress’s PHP files
Malicious redirects are often found in PHP files within WordPress including index.php, header.php, footer.php, and functions.php. Hackers target these files because they are executed often by WordPress. Hackers might also modify the header.php file of your WordPress installation by using an encoded string and PHP’s eval() function.
3) Installing a plugin or theme that changes other files
Another common pathway for a malicious redirect to infect a site is by getting the website owner to unwittingly install a fraudulent plugin or theme. WordPress highlighted one instance of this occurring via a plugin called ilovedc. Upon installing this plugin, it would use the WordPress function insert_with_marker() to modify the site’s .htaccess file. The fix for this type of attack was to delete the plugin and restore your website’s old .htaccess.
The malicious code can be recognised by the long hex-encoded strings it places in files. These sections of code look something like:
It appeared that this particular attack typically begins with a brute-force attack on WordPress xmlrpc.php or login.php files. The hacker will attack the site until they gain access to the WordPress administration section.
Once the hackers are in the administration section, they will open the theme editor and change the 404.php file of the current theme. They may also attempt to upload infected plugins and themes. Hackers would even add backdoors in other files to give themselves access to the website at a later date.
Weak passwords and cross-site contamination were primarily responsible for this kind of attack because they made brute force attacks simply to perform.
Removing WordPress redirects added by hackers
Fortunately, removing WordPress redirects is usually a simple process.
1) Change your passwords and check registered users
If a hacker has managed to gain access to your administration section, you will need to change the passwords for all WordPress users. You will also have to ensure that no additional users have been added by the hacker. To be on the safe side, you should also generate new WordPress salt keys and passwords for FTP accounts, databases, and hosting accounts.
2) Remove any unexpected plugins and themes from the website
The presence of unexpected themes or plugins may indicate that your site has been compromised. Delete all of these files.
3) Scan your website with an appropriate tool
There are many third party tools which will scan your website to identify malware and compromised files. ThreatPress offers cleaning services and software to make the cleaning process easier.
4) Use a WordPress plugin to scan your files
There are a variety of plugins that will scan your WordPress system files to ensure they are correct. These scanners will identify any malicious code that has been added to files like index.php, db.php, header.php, and footer.php. Security and Monitoring plugin for WordPress can scan and identify altered or infected WordPress core files.
5) Manually inspect vulnerable files
6) Reinstall your WordPress files, plugins, and themes
If the problem still persists, revert to an older backup of your website. If you do not have a backup of your website available, perform a complete reinstall of all WordPress files, plugins, and themes.
7) Resubmit your website to Google
If Google has discovered malicious redirects on your website, they may apply a penalty. This penalty could range from a warning message that appears next to your website in the search engine results through to a complete blacklisting of your website. Once you have repaired your website, go to Google’s Search Engine Console and using the Remove URLs Feature to eliminate any references that Google has to the infected pages. You will then have to go to Search Traffic > Manual Actions and Request a Review of your website.
Ensuring this kind of attack does not happen again
It’s important to take steps to ensure this attack does not happen again in the future. The following steps will substantially reduce the risk of another attack.
1) Improve your passwords
Make your passwords more complex so hackers are less likely to successfully use a brute force attack on your website. Your passwords should also be regularly changed.
2) Install WordPress security software
We offer WordPress security plugin that will help you to strengthen your WordPress. This plugin will scan your WordPress core files and inform you of any unexpected changes. It also have Brute Force Protection and a variety of other security tools to keep your website safe.
3) Install a WordPress theme checking plugin
4) Never install plugins or themes from untrusted source
As much as possible, obtain your plugins from the official WordPress site. Don’t install plugins or themes unless you really need the functionality they provide. If you are not using a plugin or theme, delete it from your website.
5) Keep all themes and plugins updated
WordPress themes and plugins do sometimes contain vulnerabilities that can be exploited by hackers. Keep them updated to minimise the risk of a vulnerability being present.
6) Ensure your WordPress installation is regularly backed up
It’s essential to back up your website regularly so you can quickly recover from these kinds of attacks. Use a web host that offers free backups. You should store your backups in at least three separate locations.
7) Change to a web host that has better WordPress security
Some web hosts specialise in WordPress hosting and have automated tools that scan your WordPress installation for you. These tools can identify malicious redirect attacks and remove them before they do any damage.
For more articles on WordPress security, please subscribe to the site or follow us on social media.