Fake SEO plugin backdoors WordPress installations

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

Administrators of WordPress sites, beware! A fake SEO plugin is being used by attackers to compromise WP installations.

fake seo plugin wordpress

The plugin in question is named WP-Base-SEO, and is a forgery of a legitimate search engine optimization plugin called WordPress SEO Tools.

But, according to SiteLock’s Jessica Ortega, the offending plugin’s wp-seo-main.php file hooks WordPress’s native add_action() functionality to run a malicious base64 encoded PHP eval request. The result is the creation of a backdoor.

Ortega does not mention what the crooks behind this malicious plugin do with such access, but you can be sure that whatever their intentions, owners won’t be happy about their site being interfered with.

“If you find a suspicious plugin in your /wp-content/plugins directory, it is best to delete the entire folder and reinstall a clean version of the plugin either in the WordPress admin dashboard or by downloading it directly from WordPress.org,” she advises.

WP admins should often manually check their installations for suspicious files.

“While researching [this] fake plugin, little information was available online. An internet search of the plugin name revealed no information, though multiple sites had been infected by the malware,” Ortega notes. “The search results suggest that the plugin may be flying under the radar of other malware scanners.”

Also, regularly update your WordPress core, themes and plugins, and use strong passwords for securing your installation.