Fake SEO Plugin Infects 4000 WordPress Sites

The Attack

It is very crucial to keep your WordPress admin area protected. A fake WordPress Plugin called WP-Base-SEO which is based on a legitimate SEO module has infected about 4,000 WordPress websites in the past two weeks.

This plugin intended to boost users traffic but what it actually did was create a backdoor to the victimized site. The cyber attacker is likely scanning the internet looking for outdated WordPress plugins, particularly those running a plugin called RevSlider, SiteLock said.

Lead security analyst at security firm SiteLock, that found the bogus plugin says, “They have stolen the code from an existing SEO plugin and tweaked it to appear as legitimate. That way, should a WordPress site owner poke around and look for suspicious activity, they might easily overlook it as a legitimate SEO plugin.”

Malicious Intent

After a closer examination of the fake WP-Base-SEO malware, it was revealed that its malicious intent was in the form of a base64 encoded PHP eval request, according to a technical blog. “Eval is a PHP function that executes arbitrary PHP code. It is commonly used for malicious purposes and php.net recommends against using it,” SiteLock said.

How to avoid such attacks

SiteLock recommended. “If you find a suspicious plugin in your /wp-content/plugins directory, it is best to delete the entire folder and reinstall a clean version of the plugin either in the WordPress admin dashboard or by downloading it directly from WordPress.org.” You can always backup your WordPress site, in case your site gets infected, in order to avoid loss of data.

Also read: Five Great Security Plugins for WordPress