Fake SEO Plugin Targets WordPress Sites
WP-Base-SEO is a fake WordPress plugin that security researchers have found installed on over 4000 WordPress sites. WP-Base-SEO is a copy of a legitimate WordPress SEO plugin with added malicious code so the attacker can control infected sites.
When a hacker compromises a WordPress site, standard operating procedure is to inject malicious PHP or JavaScript code. The attackers’ code lets them access the site in the future and hijack its resources and traffic. But foreign code is easy to spot if you know what you’re looking for. A security researcher or automated malware scanner will find obviously out-of-place code quickly.
To avoid being discovered, the creators of WP-Base-SEO are using it as a Trojan horse. For the most part, it looks like a legitimate WordPress plugin. The difference lies in a few tweaks that allow the hackers to execute arbitrary code at will.
To see if your WordPress site has been infected with this malware, look in its /wp-content/plugins folder for directories containing “wp-base-seo”.
It appears the plugin is not being installed by WordPress users. Botnets trawl the internet for vulnerable WordPress sites, hack them, and inject malware. In this case the malware is hidden in a WordPress plugin. This technique depends on the availability of insecure sites: those where WordPress, plugins, and themes haven’t been updated to a recent version.
Many of the sites infected with WP-Base-SEO also have older versions of the RevSlider plugin installed. Older versions of RevSlider contain a critical and easily exploited vulnerability. It’s believed that the RevSlider vulnerability was the vector for the Panama Papers leaks. The attackers are exploiting the RevSlider vulnerability, installing their malware plugin, and using it to control WordPress sites.
The best way to secure your WordPress site is to ensure it’s always kept up-to-date. WordPress Core, plugins, and themes should be updated to the most recent version. There’s a wrinkle where RevSlider is concerned because it’s often bundled with themes and only updated when the theme’s developer chooses to do so. If you have any doubt, contact your theme’s developer.
In this case, the malicious plugin is installed by the attackers to hide their presence, but it’s not unusual for criminals to manipulate WordPress users into installing malware-infested plugins. That’s why it’s important to only install plugins from trusted and reputable sources. If you have any doubts about whether a plugin or theme comes from a trustworthy source, do not install it.
Pirated premium plugins are a particular favorite of criminals. They take the code from a genuine premium plugin, add malware to it, and make it available for free. As a general rule, avoid downloading plugins from anywhere other than the official WordPress Repository, well-regarded theme and plugin marketplaces, or a reputable WordPress developer’s website.
