Over 15,000 WordPress sites hit by malicious SEO campaign


More than 15,000 WordPress websites have been compromised and redirected to fake portals to increase spam website traffic.

A new malicious SEO campaign has successfully compromised over 15,000 WordPress websites. The aim of the campaign is to redirect users to fake Q&A sites to increase visitor traffic.

Over 15,000 WordPress sites compromised

In a new black hat redirect campaign, hackers managed to compromise over 15,000 WordPress websites to boost the search engine rankings of various bogus websites.

As noted in a Sucuri blog post, there has been a noticeable increase in WordPress malware redirect sites since September 2022. These redirect sites lead users to low-quality fake Q&A portals. In the months of September and October alone, hackers were able to successfully target over 2,500 sites.

Sucuri, a security researcher, has so far detected 14 bogus websites with their servers masked by a proxy. The questions displayed on the sites are pulled from other legitimate question and answer platforms. With increased SEO ranking, these sites can reach more people.

Fake Q&A sites can spread malware

person touching matrix code

Fake sites used in this redirect campaign are capable of spreading malware to visitors. Unlike many malicious sites, these particular fake Q&A forums are capable of modifying more than 100 infected files per site. This is not often done, as it makes their detection and removal more likely.

In the aforementioned blog post, Sucuri stated that most of the infected files are basic WordPress files, but also listed a number of the most commonly infected files, all of which have .php extensions. The list of infected .php files is given below:

  • ./wp-signup.php
  • ./wp-cron.php
  • ./wp-links-opml.php
  • ./wp-settings.php
  • ./wp-comments-post.php
  • ./wp-mail.php
  • ./xmlrpc.php
  • ./wp-activate.php
  • ./wp-trackback.php
  • ./wp-blog-header.php

Sucuri also pointed out that the malware was found to be present in some pseudo-legitimate filenames dropped by the hackers themselves, including:

  • RVbCGlEjx6H.php
  • lfojmd.php
  • wp-newslet.php
  • wp-ver.php
  • wp-logln.php

Hackers breach method can be vulnerable plugin or brute force

Sucuri has yet to uncover how these black hat hackers breach these WordPress sites, but a vulnerable plugin or brute force attack is thought to be the most likely culprits. Hackers can use an exploit kit to scan plugins for security vulnerabilities to highlight a target. Alternatively, the WordPress site admin login password could be cracked using an algorithm in a brute force attack.

WordPress sites are common targets of exploitation

This is by no means the first time that WordPress sites have been targeted by malicious actors. Millions of WordPress sites have been compromised by cybercriminals in the past, and no doubt many more will continue to fall victim to such attacks.


Comments are closed.