Spammers modify sites’ core WordPress files for long-lasting compromise

In their quest to compromise WordPress installations and prevent site owners from discovering it and cleaning up the website, blackhat SEO spammers have turned to modifying core WordPress files.

The content management system’s popularity and the fact it is used by many site owners and admins that are not that tech savvy make WordPress sites an easy target for attackers.

The initial compromise usually happens due to the use of weak passwords, malware, and outdated WP installations, themes or plugins with exploitable vulnerabilities.

The scammers then usually add malicious scripts to the theme files (such as header.php or footer.php) or modify files in the root of the WordPress install (i.e. index.php, wp-load.php), and that’s where site owners are bound to look first when looking for malicious content.

Infecting core WordPress files

But in a situation encountered by Sucuri analyst Luke Leal, SEO scammers injected one core WordPress file (./wp-includes/load.php) with a trigger that forces the loading of a second file (./wp-admin/includes/class-wp-text.php) that was added to the core install.

“A website owner contacted us worried about pornographic content showing in Google results for their site. As you can imagine, he was eager to have it removed from his business site. They were already losing countless potential customers and damaging existing relationships,” Leal explained.

The ./wp-admin/includes/class-wp-text.php file was able to identify whether the visitor is a search bot or a human, and to accordingly serve different content. The latter would see a normal site, while the bot would see pornographic spam data that was pulled from a malicious URL that can be easily modified by the attackers whenever they want.

“This particular SEO spam not only created bogus meta-data for the main text link and description, it also changed the sitelink snippets (short descriptions of secondary page content) below the client’s initial hyperlinks,” the analyst shared, and noted that such a compromise can have an extreme negative impact.

“This harms the website’s reputation with visitors and will lead to a warning on the search engine results page claiming ‘This Site May Be Hacked’. This warning will undoubtedly lower your incoming traffic by a significant amount and affect your ranking position if nothing is done about it.”

Tips for keeping WordPress secure

Leal offered advice for keeping your WP-based site(s) free of infection:

• Use strong passwords
• Minimize the number of WP admins
• Keep WP, themes and plugins updated
• Remove unused software
• Use WP hardening techniques.

But, if all fails and your site gets compromised, a file monitoring solution is a great way to detect it almost instantly.

“File monitoring does exactly what it sounds like. It forms a baseline of your current environment and then alerts you to any changes to that baseline (ie: new files, modified files, deleted files, etc.),” he explained.