27 Feb, 2018

Malicious Redirects On WordPress Sites Or WP-Config Hijacking

This post explains how hackers can use malicious redirects or WP-config hijacking to compromise WordPress sites and what you can do to prevent or fix them.
Malicious redirect to another URL is nothing new, but how you redirect, that is the big question. The most popular type of the redirect infection that our incident response team handled last year was implemented through themes and plugins. Since we keep receiving more customers getting infected with this type of redirection, we decided to make a short post about it. So how does this new type of redirection work?
Identifying The Malicious Redirect On WordPress Website
First, let’s have a look at the suspicious lines that have been injected at the bottom of wp-config.php file:
If you are a seasoned WordPress developer or a malware researcher, the default wp-config.php file is usually up until line 90 as you can see on the image above. Normally, it is also where you would find the included wp-settings.php file. The new added line prompts us to check immediately what was the file (wp-includes/class- wp-term- connect.php) for:
As usual, the file was obfuscated. Here is how the code looks like after submitting it to the PHP decoder:
We cherry-picked some of the code that we can check. The following code is usually being used for USERAGENT when sending request to a server:
This line is responsible for the referrers part of the request. The code applies some filtering to check if the request for the connection is coming from a search engines bot of Google, Bing, etc.
This is the part where it connects to the server, which in turn manages the destinations the visitors will get redirected to:
Simply removing the extra line at the wp-config.php file will disable the redirection that your site has. But that does not necessarily mean your server is now clean. You may need double check everything on your end. Usually, backdoors have already been planted on the server to replicate the infection on your system.
If you need professional assistance in removing this or any other malware, we can assign a malware analyst to check your system and harden your security settings for the benefit of your site visitors and your business. Just head over to ThreatSign Website Antimalware plans page and check our products and services. If you’re not sure which plan to select, contact us and let us help you to choose the best cybersecurity protection for your business.